Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks

A new version of the Coyote banking trojan has been spotted, and what’s noticeable about it is not just who it’s targeting, but how it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the first malware seen actively using Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a method that had only been a conceptual risk a few months ago.

Back in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive technologies interact with software, could be misused by threat actors. Until now, that concern remained a proof-of-concept. Things changed when Akamai spotted Coyote using UIA in attacks targeting Brazilian users, aiming to extract sensitive information from browser windows tied to banks and cryptocurrency platforms.

This shows that Coyote trojan is changing the way it operates, making it harder to detect and stop. The malware, first ...