A New Threat on the Horizon: Meet Coyote 2.0
Cybercriminals are stepping up their game. The latest Coyote banking trojan (Trojan: a type of malware disguised as a legitimate file or app) has evolved into a stealthy financial menace by exploiting Windows UI Automation (UIA) (UI Automation: a Microsoft accessibility feature that allows programs to read and interact with screen elements like menus and text fields). Where is it active? Mainly across Brazilian banks and crypto platforms, quietly stealing login credentials from unsuspecting victims.
Why this matters:
UIA was never created for hacking. It helps accessibility tools, like screen readers, interact with software. But Coyote uses Microsoft’s GetForegroundWindow() API (API: a set of rules that lets software programs talk to each other) to identify which window is active. Then it hijacks UIA to read browser address bars and tabs.
If the address matches its secret list of 75 targeted financial websites, it silently steals usernames and passwords .
Why This Attack Works So Well
- Silent surveillance: Unlike keyloggers (keylogger: software that records everything you type) or screen‑capture malware ( programs that take screenshots of your screen without consent), Coyote just reads UI elements, so antivirus software struggles to notice it.
- Offline resilience: Even without the internet, Coyote can scan for UI data, making it stealthier.
- Tailored targeting: Coyote is laser focused on high‑value targets like Banco do Brasil, Bradesco, Santander, Binance, Electrum, and Foxbit.
How Coyote Creeps In: The Infection Path
Coyote spreads through several clever channels:
- Phishing emails ( fake emails tricking you to click and install malware) with ZIP files containing a malicious .LNK shortcut ( .LNK: a Windows shortcut file).
- A hidden PowerShell script ( a scripting language in Windows to automate tasks, but often abused by hackers) executes silently to download the malware.
- WhatsApp Web propagation: Some variants automatically forward infected files to your contacts.
- Once installed, Coyote: Writes entries in your system registry ( a database Windows uses to store settings), Runs persistently every time your computer starts, Sets up encrypted tunnels to C2 servers (Command and Control: hacker-controlled servers that give malware instructions).
UI Automation: From Good Deed to Cyber Weapon
What is UI Automation (UIA)?
A legitimate Microsoft framework inside .NET that helps apps read buttons, fields, and text for accessibility tools.
How Coyote twists it:
Think of UIA as giving apps “x‑ray vision.” Coyote uses this vision to watch your browser tabs and steal sensitive data without you knowing.
First of its kind:
Security researchers confirmed this is the first documented case of malware exploiting UIA in the wild.
Anatomy of a Lawsuit: What Could Go Wrong?
If Coyote compromises Bank X and customers lose money:
- Negligence: “The bank didn’t implement proper cybersecurity controls.”
- Privacy breach: Usernames and passwords are personal data.
- Regulatory breach: Failing to comply with BNS ETS or LGPD.
Courts may treat the bank’s inaction as contributory negligence, especially as such malware risks are now widely publicized.
How to Stay Safe: A Layered Defense Guide
For Users
- Enable Multi‑Factor Authentication (MFA): Even stolen credentials won’t work without a second step like an OTP or fingerprint.
- Use official apps/sites: Avoid unknown shortcuts or pop‑ups.
- Install strong antivirus/EDR: Look for products with behavior‑based detection of unusual UI access.
For Banks & Enterprises
- Monitor DLL loads: Track suspicious loads using tools like osquery ( an open-source tool to monitor system activity).
- Adopt behavior‑based detection: Don’t rely only on signature-based antivirus.
- Regularly audit UI handlers: Watch for unusual browser credential requests.
Related Cybercrime News Around the World
Adding context makes it clear that Coyote is part of a wider trend:
- Grandoreiro Trojan Resurgence (2025): Another Brazilian banking trojan returned with encrypted payloads and phishing waves.
- Mispadu in Mexico: Banking trojan spreading via fake ads and social engineering.
- Europol Crypto Drainer Alert: An advisory on malware stealing seed phrases from crypto wallets in Europe.
What these all show: Cybercriminals are now blending social engineering (tricking people into giving info or clicking links) with system-level exploits like UIA abuse to bypass security layers.
Stay Alert: The Tech‑Legal Crossover
Coyote 2.0 isn’t just another malware headline. It’s a wake‑up call to combine technical vigilance with legal responsibility.
- Users: Stay cautious about emails, attachments, and software prompts.
- Banks: Review cybersecurity frameworks and update liability clauses to align with laws.
Final Word: A Call to Action
Coyote 2.0 proves that even helpful operating system features can be abused as cyberweapons. Bridging technical security with legal safeguards is the only way forward.
Takeaways:
- MFA, EDR monitoring, and UIA anomaly detection are must‑haves.
- Banks must revise privacy disclosures and liability clauses today.
- Users should remain informed and alert because the next wave of stealthy banking malware is already brewing.
