Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks

A new version of the Coyote banking trojan has been spotted, and what’s noticeable about it is not just who it’s targeting, but how it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the first malware seen actively using Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a method that had only been a conceptual risk a few months ago.

Back in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive technologies interact with software, could be misused by threat actors. Until now, that concern remained a proof-of-concept. Things changed when Akamai spotted Coyote using UIA in attacks targeting Brazilian users, aiming to extract sensitive information from browser windows tied to banks and cryptocurrency platforms.

This shows that Coyote trojan is changing the way it operates, making it harder to detect and stop. The malware, first detected in February 2024, is known for phishing overlays and keylogging aimed at Latin American financial targets. But what makes this variant different is its use of UIA to bypass detection tools like endpoint detection and response software.

Instead of relying on conventional APIs to check which banking site a victim is visiting, Coyote now uses UI Automation. When the active window title doesn’t match any of the malware’s preloaded banking or crypto site addresses, it changes its tactics and uses a UIA COM object to start crawling through the sub-elements of the active window, searching for telltale signs of financial activity.

Akamai’s blog post, shared with Hackread.com ahead of publishing on Tuesday, found that Coyote’s hardcoded list includes 75 financial institutions and crypto exchanges. What’s worse, these aren’t just names or URLs. The malware maps them to internal categories, allowing it to prioritise or customise its credential-stuffing attempts. This approach not only increases its chances of hitting the target but also makes it more flexible across browsers and applications.

Normally, an attacker would need detailed knowledge of a specific application’s design. UIA simplifies that process. With this framework, malware can scan the UI of another app, extract content from fields like address bars or input boxes, and use that information to customise attacks or steal login data.

Coyote trojan doesn’t stop at identifying banks. It also sends system details back to its command-and-control infrastructure, including the computer name, username, and browser data. If offline, it still performs many of these checks locally, making it harder to catch through network traffic alone.

According to researchers, the bigger concern here is how UIA could open up new attack paths. Akamai demonstrated this by showing how attackers might not just scrape data but also manipulate UI elements. One proof of concept shows the malware altering a browser’s address bar, then simulating a click to quietly redirect the user to a phishing site, all while looking legitimate on screen.

Akamai’s PoC (Click to Play GIF)

On the defensive side, there are ways to catch this kind of abuse. Akamai recommends monitoring for the loading of UIAutomationCore.dll into unfamiliar processes. They also provide osquery commands to flag processes that interact with UIA-related named pipes. These are early warning signs that an attacker may be snooping on the user interface.

Akamai’s threat hunting service has already started scanning environments for such anomalies. According to their report, customers were alerted when suspicious UIA activity was detected.