Update: Coyote Banking Trojan Becomes First to Exploit Windows UI Automation for Credential Theft
A newly identified variant of the Coyote banking trojan is the first known malware to exploit Microsoft’s UI Automation (UIA) framework for real-world credential theft, marking a major shift in attacker techniques. Initially observed in early 2024, targeting Brazilian users, Coyote has continuously evolved, now incorporating UIA to inspect browser interface elements and extract sensitive data silently. Suppose standard methods, such as comparing window titles, fail to detect access to targeted financial sites. In that case, the malware utilizes UIA to parse UI sub-elements—such as browser tabs and address bars—to identify any of the 75 hardcoded banking and cryptocurrency domains it monitors. This enables Coyote to recognize when a victim accesses specific services, even when browser windows are minimized or obfuscated. The technique allows the malware to operate with minimal visibility, bypassing many endpoint detection solutions, as UIA is a trusted accessibility feature in Windows. Coyote also operates effectively in offline mode, increasing its chances of successful data harvesting during intermittent network connections. The malware is delivered through phishing campaigns using the Squirrel installer and often bundled within compressed files that mimic legitimate software. Once installed, it collects system-level data and establishes communication with a command-and-control server. If a banking site is detected, it activates its credential theft routines. It may escalate to more advanced UIA abuse, including manipulating visible browser elements or redirecting users to spoofed domains. Researchers at Akamai demonstrated how the same UIA capabilities could be extended to extract typed credentials or simulate user interaction, laying the groundwork for potential future variants with broader functionality. Detection remains challenging due to the deep integration of UIA with Windows. Still, defenders can monitor suspicious loading of UIAutomationCore[.]dll into unknown processes and track UIA-related named pipes as potential indicators. Coyote’s use of UIA demonstrates a clear move toward abusing legitimate system features to bypass defenses, indicating a need for proactive monitoring and policy enforcement regarding accessibility tool usage.
Update: Lumma Stealer Rapidly Resurfaces After Global Takedown
Despite a significant law enforcement operation in May 2025 that resulted in the seizure of over 2,300 domains and the disruption of Lumma Stealer’s command-and-control infrastructure, the operators behind the malware-as-a-service (MaaS) quickly resumed operations. Within weeks, Lumma's activity returned to near pre-takedown levels, demonstrating the group’s resilience and ability to pivot under pressure. The primary developer, linked to the actor group “Water Kurita,” confirmed the breach on underground forums, citing a vulnerability in Dell's IDRAC as the point of compromise. Although their systems were remotely wiped, the operators restored access, hardened infrastructure, and began rebuilding, shifting away from Cloudflare to less cooperative providers. This strategic move reduces the risk of future domain seizures and shows a clear evolution in infrastructure hardening. The malware’s core functions—stealing credentials, crypto wallets, and sensitive files—remain intact, and Lumma’s resurgence highlights the ongoing difficulty of permanently dismantling persistent MaaS threats without arrests or legal follow-up. Following the takedown, Lumma Stealer expanded its delivery methods, adopting increasingly deceptive and evasive tactics. Campaigns now leverage fake software cracks, keygens, and malvertising to funnel victims through Traffic Detection Systems (TDS), which fingerprint devices before delivering payloads. The ClickFix campaign utilizes compromised websites with fake CAPTCHA pages to lure users into running PowerShell scripts that load Lumma directly into memory, thereby bypassing file-based detection. GitHub is being abused to host malware disguised as gaming cheats, often wrapped in AI-generated project pages to appear legitimate. Social media platforms like YouTube and Facebook also play a role, with posts promoting pirated software or editing tools linking to malware-hosting sites, including trusted services like sites[.]google[.]com. These techniques broaden Lumma's reach while making detection harder for traditional security tools. Trend Micro has suggested detection capabilities, but defending against Lumma’s continued evolution requires organizations to pair technical defenses with continuous user education and proactive threat hunting.
Update: ZuRu Malware Resurfaces with Trojanized SSH Client, Targeting macOS Developers and IT Pros
A new and highly refined variant of macOS ZuRu has emerged, leveraging a modified version of the Termius SSH client to deliver a stealthy backdoor targeting developers and IT professionals. Detected in late May 2025, this version abandons earlier dynamic library injection techniques in favor of full application trojanization, embedding malicious binaries directly into the app bundle. The legitimate Termius Helper binary is renamed and replaced by a malicious Mach-O file, which ensures the app appears to function normally while executing a hidden loader. This loader, named [.]localized, deploys a modified Khepri command-and-control beacon that operates persistently, storing itself in a temporary system path for stealth. The Khepri beacon, a customized version of an open-source post-exploitation tool, communicates with its C2 server at five-second intervals over port 53 and uses decoy domains to disguise its traffic. To bypass macOS Gatekeeper protections, the malware uses ad hoc code signatures, exploiting macOS’s implicit trust in signed binaries. It further improves resilience through MD5 hash checks and a built-in update mechanism that downloads fresh payloads if tampering is detected. Once active, the malware supports remote command execution, file transfers, system reconnaissance, and process control, posing long-term espionage risks. Its targeting of backend tools, including Termius, SecureCRT, and Navicat, suggests a strategic effort to infiltrate tech-focused environments, often via pirated or poisoned app downloads. SentinelOne and PolySwarm researchers consider this an ongoing and evolving threat, signaling an increasing trend in macOS-focused malware that blends commodity frameworks with tailored evasion techniques. Organizations are advised to enforce strict integrity checks, monitor for unusual behavior on non-standard ports, and educate users on the risks of downloading unverified software.
Ransomware Gangs Exploit Legitimate RMM Tools for Stealthy Attacks
Over the past year, ransomware groups have increasingly repurposed Remote Monitoring and Management (RMM) tools—traditionally used by IT teams for software deployment and remote support—as covert channels for accessing enterprise networks. Commercially available RMM platforms, such as AnyDesk, ScreenConnect, PDQ Deploy, and SimpleHelp, have become key components in real-world ransomware campaigns. Their trusted status, signed binaries, and encrypted communications enable attackers to bypass traditional security controls. In multiple confirmed incidents, adversaries leveraged these tools to quietly establish persistence, execute scripts, move laterally, and stage data for exfiltration long before triggering ransomware payloads. For instance, Hunters International, Medusa, and an unidentified affiliate all used various combinations of RMM software across different industries to evade detection while preparing for encryption and extortion. In each case, network forensics revealed encrypted outbound traffic, particularly on TCP port 7070, which AnyDesk uses, and no immediate endpoint alerts were triggered due to whitelisted software usage. These campaigns highlight a critical security blind spot: defenders must now distinguish between legitimate administrative activity and abuse of trusted tools by threat actors. The use of RMMs with built-in features—remote control, silent execution, script deployment, and native persistence—offers attackers a RAT-like capability without the risk of introducing known malware. Techniques such as phishing with trojanized installers or malicious LNK files enable attackers to piggyback on pre-installed RMM agents to establish access, often invoking preconfigured sessions without writing new binaries to disk. Certificate-pinned TLS tunnels further obscure the activity, as they prevent traffic inspection by breaking standard SSL interception. To counter this, security teams must shift to behavior-based detection methods, flagging first-time RMM usage, off-hours sessions, and connections to new destinations. Enforcing strict access policies, maintaining updated allowlists, and monitoring RMM usage at both the endpoint and network layers are essential. As RMM adoption continues to grow, its dual-use nature demands a proactive, context-aware approach to detection and response.
