Coyote Malware Variant

The Windows banking trojan known as Coyote has emerged as the first malware strain observed abusing the Windows accessibility framework, UI Automation (UIA), to steal sensitive user data. Initially exposed by cybersecurity researchers in 2024, Coyote is primarily targeting Brazilian users and has evolved to integrate a novel technique that leverages UIA to harvest credentials tied to a wide range of banking and cryptocurrency platforms.

Legitimate Tools Turned Malicious

UIA is part of the Microsoft .NET Framework and was originally designed to help assistive technologies, such as screen readers, interact with user interface elements in desktop applications. However, its capabilities have proven to be a double-edged sword. In December 2024, security experts presented a proof-of-concept demonstrating that UIA could potentially be exploited for data theft and unauthorized code execution.

Now, Coyote has put theory into practice. Similar to Android banking trojans that misuse accessibility services to capture sensitive information, Coyote manipulates UIA to navigate application elements and extract valuable credentials.

How Coyote Hunts for Data

The trojan begins its data-harvesting process by using the GetForegroundWindow() Windows API to determine which window is currently active. It then compares the title of that window against a hard-coded list containing the web addresses of 75 targeted banks and cryptocurrency exchanges, a number that has grown from 73 targets in early 2025.

If the window title fails to match any entry on the list, Coyote switches tactics. It uses UIA to parse through the child elements of the active window’s interface, attempting to locate browser tabs or address bars. The content of these UI elements is again checked against the same target list.

Expanding Capabilities and Stealth Features

Coyote is equipped with additional surveillance functions, including:

• Keystroke logging to intercept typed credentials
• Screenshot capturing to visually record user activity
• Overlay attacks that mimic legitimate banking login pages

Moreover, the malware functions effectively in both online and offline modes, ensuring its credential-harvesting mechanisms remain operational regardless of connectivity. This flexibility enhances its persistence and broadens its attack surface.

Why UIA is a Game-Changer for Malware Developers

Ordinarily, accessing sub-elements within another application is complex, requiring an in-depth understanding of how the target software is structured. By exploiting UIA, Coyote circumvents this barrier, gaining deep visibility into applications’ internal UI components with minimal effort. This ability significantly increases the success rate of credential theft.

The Growing Threat to Financial Data

The adoption of UI Automation by malware like Coyote marks a troubling evolution in how legitimate system features are being weaponized. With 75 financial institutions already in its crosshairs and a steadily advancing attack methodology, Coyote highlights the urgent need for improved monitoring and defensive mechanisms against accessibility framework abuse.