Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks

Akamai researchers have identified a new Coyote banking trojan variant that represents the first observed malware actively exploiting Microsoft’s UI Automation framework to extract banking credentials. Previously a theoretical threat discussed in December 2024, the technique enables Coyote to bypass traditional detection methods by scanning user interfaces rather than relying on conventional APIs. The malware targets Brazilian users and maintains a hardcoded list of 75 financial institutions and cryptocurrency exchanges, using UIA’s accessibility features to crawl through active window elements and identify financial activity. This approach allows the trojan to operate across different browsers and applications whilst evading endpoint detection systems. Beyond credential theft, the malware transmits system information to command-and-control servers and can manipulate UI elements, potentially redirecting users to phishing sites through address bar alterations. Akamai recommends monitoring for UIAutomationCore.dll loading in unfamiliar processes and provides detection queries for identifying suspicious UIA activity through named pipe interactions.​​​​​​​​​​​​​​​​