Banking Trojan “Coyote” Steals Data by Mimicking UI Interactions

A new variant of the Coyote banking Trojan is actively exploiting Windows accessibility features—specifically, the Microsoft UI Automation (UIA) framework—to detect when users visit banking or cryptocurrency exchange websites and steal their login credentials.

How Microsoft UI Automation Is Being Abused

Microsoft UIA is an accessibility framework designed to help assistive technologies interact with Windows applications. It allows external tools to read interface elements, track changes, and simulate user actions by navigating a structured UI Automation tree.

While intended for accessibility, security researchers have long warned that UIA could be misused. In December 2024, Akamai researchers highlighted that UIA could bypass endpoint detection and response (EDR) protections—even on legacy systems like Windows XP.

That prediction has now materialized. Since February 2025, attackers have been using this technique in the wild—marking the first known instance of malware weaponizing UIA for credential theft.

Evolution of the Coyote Trojan

Coyote has been active since February 2024, initially targeting Brazilian users through traditional techniques like keylogging and phishing overlays. The original version targeted 75 financial applications—both banks and crypto platforms.

The latest variant maintains those capabilities but adds UIA exploitation for deeper stealth and broader reconnaissance.

How the Attack Works

Step 1: Target Identification

If Coyote can't detect a banking site via window title, it turns to UIA. By navigating browser UI elements (such as tabs or the address bar), it can extract the actual URL.

It then checks the URL against a hardcoded list of 75 financial services, including:

• Banks: Banco do Brasil, CaixaBank, Santander, Bradesco, Sicredi
• Crypto Exchanges: Binance, Electrum, Bitcoin, Foxbit

Step 2: Credential Theft (Potential)

So far, the Trojan uses UIA for reconnaissance, but Akamai researchers demonstrated that it could go further—by reading sensitive fields directly through accessibility APIs.

“Parsing nested UI elements without UIA is complex—it requires deep knowledge of the target app. Coyote can perform these checks offline or online, increasing its success rate,” Akamai noted.

A Cross-Platform Trend Emerges

Security experts emphasize that abuse of accessibility APIs has long plagued Android devices (via Accessibility Services). Now, the same problem is migrating to desktop platforms, particularly Windows, as attackers adapt legitimate frameworks for malicious purposes.

Key Takeaways

• Coyote Trojan now abuses Microsoft’s UI Automation (UIA) to spy on users visiting banking and crypto websites.
• It targets 75+ financial platforms, primarily in Brazil, by extracting URLs from browser interface elements.
• This is the first documented case of malware weaponizing UIA—though researchers warned of this scenario in late 2024.
• The technique evades EDR solutions and functions on all Windows versions, including Windows XP.
• Similar API abuse is rampant on Android, indicating a growing cross-platform threat.

Recommendations

• Monitor for unusual UIA activity, especially from unauthorized processes.
• Restrict unnecessary accessibility permissions on endpoints.
• Educate users about banking Trojans, even those that don’t rely on traditional phishing methods.