Beware! This malware can steal your banking info using Windows tools

Updated on 23-Jul-2025
By
Himani Jha
HIGHLIGHTS

Coyote exploits Microsoft’s UI Automation, originally built for accessibility, to spy on users and steal sensitive financial data.

The malware uses GetForegroundWindow() and UIA to detect when users visit financial websites and extract login credentials or wallet info.

Coyote spreads through the popular Squirrel installer and currently targets users in Brazil, with global expansion likely.

A new version of the notorious Coyote malware is making the rounds, and it’s more dangerous than before. Cybersecurity researchers at Akamai have discovered that the malware is now using a legitimate Windows feature to spy on users and steal sensitive banking and cryptocurrency information. Microsoft’s UI Automation (UIA) framework was initially built to help assistive technologies interact with software interfaces, but hackers are manipulating it to steal data.

According to the report, Coyote malware exploits UIA to track when users visit banking websites or cryptocurrency exchanges, enabling it to target and steal login details and wallet information.

This new variant of Coyote employs standard attack methods, including keylogging and phishing overlays, and spreads through the Squirrel installer, a popular tool for installing and updating Windows applications.

Once the system is infected, the malware sends back detailed information, including the computer’s and user’s name, system specifications, and the financial services being used, to a command-and-control (C2) server operated by the attackers.

Also read: iPhone 15 Plus now available with Rs 13,400 discount on this platform

It then uses a Windows API called GetForegroundWindow() to detect which window the user is actively using and matches it against a hardcoded list of banking and crypto sites. If it can’t find a match just by the window title, it digs deeper using the UI Automation tool to read the website address directly from the browser.

So far, this version of Coyote is primarily targeting users in Brazil, but security experts warn that this could be a test run. “It’s common for attackers to trial malware in specific regions before going global,” Akamai noted.

Researchers also shared a proof-of-concept showcasing how the same Windows feature could potentially be used to steal passwords directly from login pages, making this a serious threat to be aware of. Users are advised to remain vigilant, keep their security software up to date, and refrain from downloading apps from untrusted sources.

Latest Article

Himani Jha

Himani Jha is a tech news writer at Digit. Passionate about smartphones and consumer technology, she has contributed to leading publications such as Times Network, Gadgets 360, and Hindustan Times Tech for the past five years. When not immersed in gadgets, she enjoys exploring the vibrant culinary scene, discovering new cafes and restaurants, and indulging in her love for fine literature and timeless music.

Connect On :
By
Himani Jha
23-Jul-2025