Coyote Trojan Turns Accessibility Into Attack Surface

Brazil-Targeting Malware Exploits Windows UIA to Evade Detection Rashmi Ramesh (rashmiramesh_) • July 29, 2025

A banking Trojan long confined to Brazil has become the first known malware to exploit Microsoft's UI Automation framework to extract credentials, signaling a new tactic that may evade conventional detection.

See Also: AI, Cloud, and Cyber Threats: A Financial Sector Survival Guide

The latest variant of the Coyote banking Trojan has since February used the accessibility tool to extract login data from users of over 75 Brazilian banks and cryptocurrency exchanges, said researchers at Akamai.

The UIA framework, built to help screen readers and testing tools interact with interface elements, allows applications to inspect and manipulate other programs' UI components such as buttons, text boxes and menus via automation.

Coyote has been circulating in Brazil for at least over a year, primarily targeting Windows systems. Researchers at Fortinet earlier this year ...