Coyote Malware Targets WILS, Abusing Microsoft UI Automation to Exfiltrate Logins

Akamai security researchers have uncovered a novel variant of the Coyote banking trojan that marks the inaugural documented instance of malicious actors exploiting Microsoft’s UI Automation (UIA) framework in real-world attacks.

Initially detailed in a December 2024 Akamai blog post as a proof-of-concept vulnerability, UIA originally designed for accessibility features in Windows operating systems from XP onward enables stealthy manipulation of user interface elements across applications.

This new Coyote strain, targeting Brazilian users, leverages UIA to systematically extract login credentials associated with 75 distinct web addresses linked to banking institutions and cryptocurrency exchanges.

First Confirmed In-the-Wild Exploitation

By abusing UIA’s Component Object Model (COM) interfaces, the malware evades traditional endpoint detection and response (EDR) tools, which fail to flag its activities as anomalous due to the framework’s inherent elevated permissions for UI interaction.

The exploitation begins with Coyote’s infection chain, which utilizes the Squirrel ...