First in the Wild: Coyote Banking Trojan Exploits Microsoft’s UI Automation to Steal Credentials Undetected

Akamai has confirmed the first observed abuse of Microsoft’s UI Automation (UIA) framework by malware in the wild. A recently discovered Latin America–focused banking trojan known as Coyote.

“Exploitation was only a proof of concept (PoC) — until now,” Akamai writes. “Approximately two months after the publication of that blog post, our concerns were validated when a variant of the banking trojan malware Coyote was observed abusing UIA in the wild.”

Originally discovered in February 2024, Coyote is a sophisticated banking trojan that uses keylogging, phishing overlays, and now UIA abuse to extract sensitive financial data from victims. The malware was initially spread via the Squirrel installer, a packaging tool often used for legitimate applications—making its distribution vectors especially stealthy.

Coyote’s infection process is marked by precision. Once installed, the trojan communicates with its command-and-control (C2) server to exfiltrate basic system metadata such as the computer name and user credentials. However, its true objective lies in discovering and compromising the victim’s banking or cryptocurrency activities.

The malware first uses the classic GetForegroundWindow() API to determine which window is currently active. It then compares the window title against a hardcoded list of over 75 bank and crypto exchange URLs. If no match is found, that’s when Coyote calls in UIA.

UI Automation allows applications—and now malware—to programmatically examine and interact with the user interface of other running applications. Coyote uses this feature to traverse the child elements of the foreground window, seeking hidden address bars or tab data that might reveal the target’s financial site usage.

“If no match is found, Coyote will then use UIA to parse through the UI child elements of the window in an attempt to identify browser tabs or address bars,” the report explains.

Once a match is confirmed using UIA, the malware continues its credential-stealing operation, often bypassing traditional endpoint defenses in the process.

Akamai emphasizes that this is the first known instance of malware abusing UIA—a milestone that may signal broader adoption of the framework in future attack chains. The researchers provide proof-of-concept demonstrations showing how UIA can be weaponized not just for surveillance, but for active manipulation.

This turns UIA into a potential tool for high-fidelity phishing, tab hijacking, and spoofing, particularly in cases where browser sandboxing and memory protections might otherwise provide some insulation.

Coyote’s UIA abuse highlights the need for defenders to go beyond basic behavioral analysis and look for inter-process UI access patterns, especially among unknown or unsigned executables.

“UIA provides several things for an attacker, including a simple solution for malware developers to parse sub-elements of another application,” Akamai warns.

As attackers evolve, so too must endpoint detection and response (EDR) strategies. Traditional security products may struggle to detect UIA-based techniques due to their reliance on built-in OS APIs and non-intrusive interaction with the GUI layer.

Related Posts:

• Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
• “Coyote” Trojan Strikes Brazil’s Banks, Experts Warn of Next-Gen Threat
• Update Beware! “Coyote” Trojan Uses Disguise to Infiltrate Brazilian Banks
• Google Drive Desktop Gets Major Redesign: Unified UI Centralizes Files, Sync & Notifications