A brand new variant of the banking trojan ‘Coyote’ has begun abusing a Home windows accessibility characteristic, Microsoft’s UI Automation framework, to determine which banking and cryptocurrency change websites are accessed on the system for potential credential theft.
Microsoft UIA is a Home windows accessibility framework designed to permit assistive applied sciences to work together with, examine, and management consumer interface (UI) components in functions.
Home windows apps expose their UI components by way of a UI Automation tree, and the UIA API gives a approach to traverse it, question the properties of every ingredient, and work together with it.
Akamai researchers had warned about the potential for Home windows UIA being abused to steal credentials in December 2024, highlighting that the method evades endpoint detection and response (EDR) protections.
Now, the identical researchers report that they’ve seen assaults leveraging the method within the wild since February 2025, marking the primary real-world case of malware abusing Microsoft UIA for knowledge theft.
Coyote evolution and UIA abuse
Coyote is a banking trojan that makes an attempt to steal credentials for 75 banking and cryptocurrency change apps, primarily concentrating on Brazilian customers.
The malware was first documented in February 2024, using techniques equivalent to keylogging and phishing overlays, and has undergone important growth since then.
Akamai stories that, whereas the newest Coyote variant continues to steal knowledge utilizing conventional strategies for hardcoded apps, it has added UIA abuse when the consumer opens web-based banking or cryptocurrency companies in a browser.
If Coyote can not determine a goal by way of the window title, it makes use of UIA to extract the online deal with from throughout the browser’s UI components (tabs or deal with bars). Lastly, it compares it towards a hardcoded listing of 75 focused companies.
“If no match is discovered, Coyote will then use UIA to parse by way of the UI little one components of the window in an try to determine browser tabs or deal with bars,” explains Akamai within the report.
“The content material of those UI components will then be cross-referenced with the identical listing of addresses from the primary comparability.”
A number of the banks and exchanges which can be recognized utilizing this technique are Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Unique financial institution, Sicredi, Banco do Nordeste, Expanse apps, and Cryptocurrency (Binance, Electrum, Bitcoin, Foxbit, and others).
Though the abuse of this Home windows accessibility characteristic stops on the reconnaissance part, Akamai shared a proof-of-concept demonstration of how UIA can be abused to steal inputted credentials for these websites.
Supply: Akamai
BleepingComputer has contacted Microsoft to ask in regards to the potential introduction of safeguards to cease the abuse of UIA on Home windows, however a remark wasn’t instantly obtainable.
Accessibility methods are designed to be highly effective, permitting folks with disabilities to totally make the most of the capabilities of their units. Nevertheless, this energy additionally invitations malicious use.
In Android, this downside has taken large proportions, with malware abusing Accessibility Providers extensively. Over time, Google has applied a number of measures to handle this subject.
Include rising threats in actual time – earlier than they affect your online business.
Learn the way cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
