First Malware Using UIA for Credential Theft
The notorious Windows banking trojan Coyote has evolved into the first known malware strain to exploit Windows UI Automation (UIA), a legitimate accessibility framework, to steal sensitive banking credentials.
“The new Coyote variant is targeting Brazilian users and leverages UIA to extract credentials tied to 75 financial institutions and cryptocurrency exchanges,” said security researcher.
Coyote’s Background and Capabilities
First identified by Kaspersky in February 2024, Coyote has wreaked havoc across Latin America, especially Brazil. The malware is capable of:
- Keylogging keystrokes
- Capturing screenshots
- Injecting phishing overlays on login pages
The trojan propagates using the Squirrel installer, which inspired its name “Coyote” as a nod to the predator-prey relationship.
In 2024, Fortinet FortiGuard Labs documented how Coyote infiltrated Brazilian companies, deploying information-stealing Remote Access Trojans (RATs). A subsequent deep-dive report published in January 2025 revealed its technical inner workings and modular attack chain.
What Is Windows UI Automation (UIA)?
UIA is a feature of the Microsoft .NET Framework designed for accessibility tools like screen readers. It enables applications to programmatically access and interact with user interface (UI) elements.
While intended for legitimate accessibility purposes, security researcher demonstrated in a December 2024 proof-of-concept (PoC) that UIA could be abused to steal credentials or execute code, warning that attackers might soon weaponize this vector—exactly what Coyote has now done.
How the New Variant Operates
The new Coyote variant closely mirrors the tactics of Android banking trojans that exploit OS-level accessibility services to harvest sensitive data. Researcher’s latest analysis revealed the following attack steps:
- Foreground Window Monitoring:
The malware calls GetForegroundWindow() API to determine the active window title. - Bank/Exchange Matching:
It compares the window title against a hardcoded list of 75 targeted banking and crypto sites (up from 73 targets documented in January 2025). - UIA Parsing:
If no direct match is found, Coyote uses UIA to enumerate UI child elements, scanning for browser tabs or address bars that might reveal targeted financial domains. - Offline Credential Harvesting:
Even in offline mode, Coyote performs checks, increasing its chances of identifying a victim’s financial service and stealing credentials.
Why UIA Makes Coyote More Dangerous
According to the researcher:
“Without UIA, parsing the sub-elements of another application is a non-trivial task. A developer would require deep knowledge of the target application’s architecture.”
By abusing UIA, Coyote bypasses these limitations, enabling real-time data extraction with minimal friction. This method also enhances stealth, as the malware does not rely solely on traditional browser injection techniques, making detection harder.
Defense Strategies Against Coyote
To protect against this evolving threat, organizations and users should:
- Monitor UI Automation access for unusual activity
- Use behavioral-based detection tools that can flag suspicious API calls like GetForegroundWindow()
- Regularly update Windows and .NET Framework to patch potential exploit vectors
- Deploy endpoint detection and response (EDR) solutions capable of spotting credential-harvesting malware
- Exercise caution with unknown installers (such as Squirrel-based packages)
Coyote’s Future Impact
The rise of UIA-based malware signals a new frontier in Windows malware development. As attackers increasingly target accessibility features, security teams must expand their focus beyond conventional threat vectors. With its dual-use of keylogging, phishing overlays, and UIA parsing, Coyote may inspire copycat campaigns targeting global banking users, not just in Brazil.
Sleep well, we got you covered.
