How Coyote trojan exploits Windows's accessibility features to steal data
A new twist on the Coyote trojan is using a legit Windows feature—meant to help people with disabilities—to quietly identify logins from banking and crypto sites.
Instead of making life easier, this malware flips the script and uses Microsoft's UI Automation tool to spot financial sites, with the potential to swipe your credentials without you noticing.
How Coyote works
Coyote checks which window you're using, then digs through browser elements like tabs and address bars if it thinks you're on a bank or crypto site.
By doing this, it slips past most security tools that usually catch other types of malware.
What happens to the stolen data?
Once Coyote grabs your info—like computer name, username, and what financial services you use—it ships everything off to hackers' servers.
This kind of attack shows how even helpful tech features can be twisted for scams, so staying alert about new threats is more important than ever if you do anything money-related online.