- • Coyote banking trojan is the first malware to exploit Microsoft's UI Automation (UIA) framework, targeting Brazilian users and stealing credentials from 75 banking and cryptocurrency sites.
- • The malware can log keystrokes, capture screenshots, and overlay login pages, enhancing its stealth and effectiveness in credential theft.
- • Akamai researchers initially identified the potential for UIA abuse in December 2024, with active exploitation confirmed in 2025.
- • No specific CVEs have been reported, but organizations should be aware of the risk posed by the UIA framework in their environments.
- • Immediate actions include monitoring for unusual UI interactions, educating users on phishing tactics, and implementing endpoint protection solutions.
The Coyote banking trojan has emerged as a significant threat by exploiting Microsoft's UI Automation (UIA) framework to harvest login credentials from Brazilian banking and cryptocurrency platforms. This malware employs advanced techniques like keystroke logging and UI overlays, making it particularly dangerous. Organizations must be vigilant, as there are currently no patches available for the UIA framework. Security teams should focus on monitoring user interface interactions, enhancing user education on phishing risks, and deploying robust endpoint protection measures to mitigate this evolving threat.
