- The Coyote banking trojan is the first Malware known to exploit Windows UI Automation to steal sensitive information.
- This new variant targets Brazilian users and focuses on credentials from 75 banks and cryptocurrency exchanges.
- UI Automation, a feature in Microsoft .NET, is used by assistive tools to access desktop interface elements.
- Akamai researchers found the malware’s tactics are similar to Android banking trojans that use accessibility features.
- Coyote’s latest update allows data theft to occur both online or offline, increasing its effectiveness.
A new version of the Coyote banking trojan is using a Windows feature called UI Automation to steal user details, according to research published by Akamai on July 23, 2025. The trojan is currently targeting people in Brazil and is able to collect credentials from 75 different financial institutions and cryptocurrency exchanges.
Tomer Peled, a security researcher at Akamai, reported that Coyote leverages UI Automation (UIA), a Microsoft .NET Framework component meant to help assistive technology like screen readers. The malware was first revealed by Kaspersky in 2024 and is known for logging keystrokes, taking screenshots, and placing fake login screens over legitimate banking and financial sites.
According to the analysis, UI Automation is designed to allow tools to access user interface elements on the desktop. An earlier proof-of-concept by Akamai showed that this feature could be misused to capture confidential data or run unauthorized code. “The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges,” Peled said in the analysis.
The malware compares the title of the open window with a list of targeted banks and exchanges. If it does not find a match, it uses UI Automation to scan through UI elements like browser tabs or address bars looking for these institutions. The contents found are checked against its hard-coded list of targets. “Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai noted.
UI Automation’s official purpose is to provide access to window elements for tools that assist users with disabilities, but Coyote has turned this legitimate feature into a data theft channel. Akamai explained that Coyote can search for bank information both with and without an internet connection, which helps it gather credentials more reliably.
Earlier reviews by Fortinet FortiGuard Labs documented Coyote targeting 73 financial institutions, but the latest version now affects 75. This change demonstrates the malware’s continuous development and growing range.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- US and UK Retreat From CBDCs, Marking Historic Digital Shift
- Senate Crypto Bill Gives SEC Wide Powers Over Digital Assets
- Solana Nears $200 as Upexi Increases Holdings, Analyst Eyes $500
- Cardano (ADA) Eyes $5 Milestone as Bullish Momentum Builds
- Japan’s Kitabo to Buy $5.4M in Bitcoin as Corporate Trend Grows
