Key Takeaways:
- A new variant of the Coyote banking trojan is the first known malware to abuse Microsoft’s UI Automation (UIA) framework to extract financial data.
- The malware scans user interface elements across active windows to identify logins to 75+ banks and crypto platforms.
- Coyote’s expanded capabilities allow it to evade endpoint detection tools by mimicking accessibility functions.
- The malware is active primarily in Brazil but is compatible with all Windows versions from XP to 11, raising global concern.
- Security experts recommend monitoring for suspicious UIA activity and updating detection systems to recognize this abuse vector.
A newly uncovered variant of the Coyote banking trojan is raising alarm across the cybersecurity community due to its unprecedented use of Microsoft’s UI Automation (UIA) framework to steal financial credentials. In what researchers describe as the first documented case of UIA abuse in the wild, the malware leverages accessibility APIs intended for assistive technologies to stealthily extract sensitive login data from users of online banks and cryptocurrency exchanges.
First discovered in Brazil in 2024, Coyote has steadily evolved from a conventional keylogger and phishing trojan into a sophisticated threat capable of bypassing traditional endpoint detection and response (EDR) mechanisms. The latest version, identified by researchers at Akamai, signals a significant escalation in both technical innovation and stealth.
UIA is part of Microsoft’s .NET Framework and is designed to help accessibility tools like screen readers interact with application elements. Coyote exploits this framework by querying and analyzing the UI structure of windows in real time, even when no visible text fields or login forms are detected. This allows it to identify financial apps and websites even if their names aren’t explicitly visible, making it far more difficult to detect or block using simple rule-based tools.
The malware begins its reconnaissance by using the Windows API call GetForegroundWindow() to determine which window is active. It then performs a standard check against a list of known target domains. If it fails to find a match, it proceeds to use UIA to inspect the active window’s internal elements—child windows, labels, input fields, and other components—until it locates indicators of banking or cryptocurrency applications.
Akamai’s security researcher Tomer Peled emphasized the novelty and risk of this technique. “Without UIA, parsing the sub-elements of another application is a nontrivial task,” Peled explained. “Coyote can perform checks, regardless of whether the malware is online or operating in an offline mode. This increases the chances of successfully identifying a victim’s bank or crypto exchange and stealing their credentials.”
The malware’s scope is extensive. Researchers confirmed that the latest variant targets more than 75 financial platforms, including mainstream banks and popular cryptocurrency exchanges. Once a relevant application or browser tab is detected, Coyote initiates credential theft operations using familiar techniques like keylogging, screenshot capture, and phishing overlays. But it’s the stealth and precision enabled by UIA that make this variant particularly dangerous.
By using legitimate Windows components intended for accessibility, Coyote masks its activity as benign system behavior. Most antivirus and EDR solutions do not currently flag UIA-related API usage as suspicious, making this approach an effective method for evading behavioral detection models.
Security vendors are now urging organizations to update their detection systems to include monitoring for unusual UIA behavior. This includes tracking COM object creation tied to UIA components, monitoring for high-frequency window enumeration, and flagging applications that repeatedly inspect child UI elements without a legitimate accessibility purpose.
This attack method mirrors a broader trend in malware development: the weaponization of legitimate operating system features. Just as Android malware has long abused accessibility APIs to gain deep control of user devices, the abuse of Windows UIA shows that desktop malware authors are adopting similar strategies. It also reflects how fast threat actors are operationalizing new research. Public proof-of-concept attacks on UIA were shared only months ago, and Coyote has already adopted them for live deployment.
The malware remains heavily concentrated in Brazil, where it is being distributed through phishing campaigns and third-party installers. However, the platform-agnostic nature of UIA and the malware’s compatibility with Windows XP through Windows 11 suggest that global expansion is likely. As financial institutions continue investing in digital transformation, attackers are looking for new ways to circumvent security measures—and UIA abuse gives them a reliable entry point.
Security experts also point out that UIA is not easily disabled, especially in enterprise environments where accessibility requirements must be met for compliance reasons. That makes behavioral detection and user education critical parts of any mitigation strategy.
Akamai’s recommendations for defending against Coyote include:
- Updating endpoint detection rules to track abnormal UIA usage patterns, particularly those involving foreground window analysis and deep child element enumeration
- Flagging processes that combine accessibility queries with other known malicious behaviors, such as screen capture or keystroke logging
- Educating users about the risks of downloading unknown software or falling for phishing attempts that may serve as Coyote’s delivery vector
- Monitoring network traffic for indicators of command-and-control activity tied to credential theft and data exfiltration
In addition to its technical sophistication, Coyote’s use of UIA raises important policy questions. If accessibility tools can be turned against users, should frameworks like UIA be restricted or monitored more aggressively? What safeguards are needed to ensure that features designed to increase usability do not become systemic vulnerabilities?
These are questions the cybersecurity industry will need to address quickly, especially as more malware authors follow Coyote’s lead. With this latest evolution, Coyote joins a growing class of threats that blur the line between utility and exploitation—where even tools designed to help users can be subverted into attack surfaces.
Coyote’s UIA-based approach is a wake-up call for defenders. While signature-based detection can identify known threats, this kind of tactic requires deeper visibility and faster behavioral response. The next phase of cybersecurity may hinge not only on knowing what malware does, but how it uses the operating system itself as camouflage.
Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.
If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.
Don’t forget the collocated MSP Expo – just for managed service providers!
Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.
The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.
The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.
Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing






