BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Coyote Banking Trojan Exploits Windows UI Automation for Theft

Coyote Banking Trojan Exploits Windows UI Automation to Target Brazilian Financial and Crypto Credentials

  • The Coyote banking trojan is the first Malware known to exploit Windows UI Automation to steal sensitive information.
  • This new variant targets Brazilian users and focuses on credentials from 75 banks and cryptocurrency exchanges.
  • UI Automation, a feature in Microsoft .NET, is used by assistive tools to access desktop interface elements.
  • Akamai researchers found the malware’s tactics are similar to Android banking trojans that use accessibility features.
  • Coyote’s latest update allows data theft to occur both online or offline, increasing its effectiveness.

A new version of the Coyote banking trojan is using a Windows feature called UI Automation to steal user details, according to research published by Akamai on July 23, 2025. The trojan is currently targeting people in Brazil and is able to collect credentials from 75 different financial institutions and cryptocurrency exchanges.

- Advertisement -

Tomer Peled, a security researcher at Akamai, reported that Coyote leverages UI Automation (UIA), a Microsoft .NET Framework component meant to help assistive technology like screen readers. The malware was first revealed by Kaspersky in 2024 and is known for logging keystrokes, taking screenshots, and placing fake login screens over legitimate banking and financial sites.

According to the analysis, UI Automation is designed to allow tools to access user interface elements on the desktop. An earlier proof-of-concept by Akamai showed that this feature could be misused to capture confidential data or run unauthorized code. “The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges,” Peled said in the analysis.

The malware compares the title of the open window with a list of targeted banks and exchanges. If it does not find a match, it uses UI Automation to scan through UI elements like browser tabs or address bars looking for these institutions. The contents found are checked against its hard-coded list of targets. “Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai noted.

UI Automation’s official purpose is to provide access to window elements for tools that assist users with disabilities, but Coyote has turned this legitimate feature into a data theft channel. Akamai explained that Coyote can search for bank information both with and without an internet connection, which helps it gather credentials more reliably.

- Advertisement -

Earlier reviews by Fortinet FortiGuard Labs documented Coyote targeting 73 financial institutions, but the latest version now affects 75. This change demonstrates the malware’s continuous development and growing range.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

RWAs Overtake Bitcoin as Hyperliquid’s Largest Open Interest

Hyperliquid's RWA perpetuals hit a record $3.6 billion in open interest, overtaking Bitcoin and...

SK Hynix ADR gains vanish in under a day

SK Hynix's ADRs rose 12.7% on Nasdaq debut Friday but the entire gain was...

Binance futures hit 2026 high as spot market lags

Binance recorded $1.6 trillion in futures trading volume in June, its highest level of...

CISA adds two critical Joomla extension flaws to KEV list

U.S. CISA added two maximum-severity Joomla extension flaws to its Known Exploited Vulnerabilities (KEV)...

Russia, India push de-dollarization to hit $100 billion trade target

Russia and India are accelerating a bilateral trade deal to reach a $100 billion...

Must Read

How to Check The Rarity of An NFT

Whenever you invest in an NFT collection, you might have noticed that some NFTs are more expensive than others. NFT collections are often made...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading