A new variant of the banking trojan 'Coyote' has begun abusing a Windows accessibility feature, Microsoft's UI Automation framework, to identify which banking and cryptocurrency exchange sites are accessed on the device for potential credential theft.
Microsoft UIA is a Windows accessibility framework designed to allow assistive technologies to interact with, inspect, and control user interface (UI) elements in applications.
Windows apps expose their UI elements through a UI Automation tree, and the UIA API provides a way to traverse it, query the properties of each element, and interact with it.
Akamai researchers had warned about the possibility of Windows UIA being abused to steal credentials in December 2024, highlighting that the technique evades endpoint detection and response (EDR) protections.
Now, the same researchers report that they have seen attacks leveraging the technique in the wild since February 2025, marking the first real-world case of malware abusing Microsoft UIA for data theft.
Coyote evolution and UIA abuse
Coyote is a banking trojan that attempts to steal credentials for 75 banking and cryptocurrency exchange apps, primarily targeting Brazilian users.
The malware was first documented in February 2024, utilizing tactics such as keylogging and phishing overlays, and has undergone significant development since then.
Akamai reports that, while the latest Coyote variant continues to steal data using traditional methods for hardcoded apps, it has added UIA abuse when the user opens web-based banking or cryptocurrency services in a browser.
If Coyote cannot identify a target via the window title, it uses UIA to extract the web address from within the browser's UI elements (tabs or address bars). Finally, it compares it against a hardcoded list of 75 targeted services.
... continue reading