The Windows-based banking trojan Coyote has become the first known malware to abuse the Windows UI Automation (UIA) framework to steal sensitive financial data, according to new findings from Akamai Security Labs. The latest variant is primarily targeting Brazilian users, aiming to extract login credentials tied to 75 banking websites and cryptocurrency exchanges.
“The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges,” said Akamai researcher Tomer Peled in a detailed analysis.
Coyote, which first surfaced in 2024 as reported by Kaspersky, is already known for a range of capabilities such as keylogging, screen capture, and displaying fraudulent overlays on login portals of financial platforms. Its latest development leverages the UI Automation framework—a legitimate accessibility feature in Microsoft’s .NET Framework—to interact with and parse user interface elements of other applications.
The abuse of UIA for malicious purposes was originally demonstrated as a proof-of-concept by Akamai in December 2024, which warned that the framework could be manipulated to steal credentials or even execute arbitrary code. While similar methods have been observed in Android banking trojans that misuse accessibility services, this marks a significant evolution for Windows-based threats.
The malware uses the GetForegroundWindow() API to determine the active window and checks the window title against a hard-coded list of known financial and crypto-related URLs. “If no match is found Coyote will then use UIA to parse through the UI child elements of the window in an attempt to identify browser tabs or address bars,” Peled explained. “The content of these UI elements will then be cross-referenced with the same list of addresses from the first comparison.”
“Without UIA, parsing the sub-elements of another application is a nontrivial task,” Akamai added. “To be able to effectively read the contents of sub-elements within another application, a developer would need to have a very good understanding of how the specific target application is structured.”
Akamai also noted that Coyote functions in both online and offline modes, increasing its ability to detect targeted platforms and harvest credentials regardless of internet connectivity. With the number of targeted institutions now at 75, up from 73 reported by Fortinet earlier this year, the malware continues to evolve in both scope and sophistication.
 framework to steal sen...){kind=link}