Coyote In The Wild: First-Ever Malware That Abuses UI Automation
Akamai Technologies, Tuesday, July 22nd, 2025
Akamai researchers have analyzed a new variant of the Coyote malware that is the first confirmed case of maliciously using Microsoft's UI Automation (UIA) framework in the wild.
In December 2024, we published a blog post that highlighted how attackers could abuse Microsoft's UIA framework to steal credentials, execute code, and more. Exploitation was only a proof of concept (PoC) - until now.
Approximately two months after the publication of that blog post, our concerns were validated when a variant of the banking trojan malware Coyote was observed abusing UIA in the wild - marking the first known case of such exploitation.
This UIA abuse is the latest of these malicious Coyote tracks in their digital habitat since its discovery in February 2024.
In this blog post, we take a closer look at the variant to better understand how UIA is being leveraged for malicious purposes, and what it means for defenders.