akamai.com - Akamai researchers previously outlined the potential for malicious use of UIA.
Now, Akamai researchers have analyzed a new variant of the Coyote malware that is the first confirmed case of maliciously using Microsoft’s UI Automation (UIA) framework in the wild.
The new Coyote variant is targeting Brazilian users, and uses UIA to extract credentials linked to 75 banking institutes’ web addresses and cryptocurrency exchanges.
To help prevent Coyote infections and UIA abuse more broadly, we’ve included indicators of compromise and additional detection measures in this blog post.
In December 2024, we published a blog post that highlighted how attackers could abuse Microsoft’s UIA framework to steal credentials, execute code, and more. Exploitation was only a proof of concept (PoC) — until now.
Approximately two months after the publication of that blog post, our concerns were validated when a variant of the banking trojan malware Coyote was observed abusing UIA in the wild — marking the first known case of such exploitation.
This UIA abuse is the latest of these malicious Coyote tracks in their digital habitat since its discovery in February 2024.
In this blog post, we take a closer look at the variant to better understand how UIA is being leveraged for malicious purposes, and what it means for defenders.
What is Coyote malware?
Coyote is a well-known malware family that was discovered in February 2024 and has caused significant damage in the Latin America region ever since. Coyote is a trojan malware that employs various malicious techniques, such as keylogging and phishing overlays, to steal banking information.
It uses the Squirrel installer to propagate (hence the name “Coyote,” which pays homage to the coyotes’ nature to hunt squirrels). In one of its most well-known campaigns, Coyote targeted Brazilian companies in an attempt to deploy an information stealing Remote Access Trojan within their systems.
After the initial discovery of Coyote, many security researchers uncovered details of its operations and provided in-depth technical analyses. One such examination, published by Fortinet in January 2025, shed light on Coyote’s internal workings and attack chain.
UIA abuse
We’ve expanded on those analyses and discovered one new key detail: Coyote now leverages UIA as part of its operation. Like any other banking trojan, Coyote is hunting banking information, but what sets Coyote apart is the way it obtains this information, which involves the (ab)use of UIA.
