Coyote Malware Exploits Microsoft UI Automation in First-Ever Wild Attack
Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.
Show Notes
A new banking trojan called Coyote has emerged as a groundbreaking cyber threat, becoming the first known malware in the wild to exploit Microsoft’s User Interface Automation (UIA) framework—an accessibility tool originally designed to help users interact with Windows interfaces. But in the hands of attackers, UIA becomes a weapon of stealth and precision.
Primarily targeting Brazilian banking and crypto users, Coyote uses sophisticated techniques to extract credentials from over 60 financial institutions by reading UI elements in active windows and phishing through subtle interface manipulation. Leveraging tools like GetForegroundWindow() and UIAutomation COM objects, Coyote identifies sensitive browser elements such as tabs and address bars—without ever requiring prior knowledge of the application’s structure.
What makes this threat even more dangerous is its stealth. Traditional endpoint detection and response (EDR) tools struggle to detect UIA-based intrusions, allowing Coyote to operate quietly in the background—whether online or offline. Beyond keylogging and phishing, it can take screenshots, kill processes, mimic system updates, and even freeze entire systems.
Even more alarming is the technical novelty: Coyote's final payload is written in Nim, a lesser-known programming language that helps it avoid signature-based detection. This Trojan spreads using the Squirrel installer, masquerading as a legitimate updater to gain initial access.
Researchers warn this technique could be the beginning of a wave of UIA-based attacks, which will be much harder to detect and stop. Detection strategies now include monitoring the loading of UIAutomationCore.dll, and inspecting named pipes like UIA_PIPE_* to catch inter-process communication anomalies.
In this episode, we also explore Cryptika’s role as a leading cybersecurity provider in the Middle East. From penetration testing and DFIR to GRC consulting and threat hunting, Cryptika is equipping organizations with the tools to detect and prevent threats like Coyote before they cause damage.
Coyote is a harbinger of a future where even accessibility features can be turned against us—highlighting the urgent need for proactive monitoring, multi-layered defenses, and vigilant detection of abused system components.
#CoyoteMalware #MicrosoftUIAutomation #UIAExploit #BankingTrojan #CredentialTheft #WindowsAccessibilityAbuse #NimMalware #CyberThreat #BrazilianTrojan #CryptocurrencySecurity #Cybersecurity #EDREvasion #NamedPipes #UIAutomationCore #InfoStealer #C2Infrastructure #BankingMalware #Phishing #CommandAndControl #AdvancedThreats #Cryptika #CyberDefense #ThreatDetection #DFIR #GRC #RedTeaming #InfosecPodcast