top of page

Coyote Malware Targets Windows Input Framework Using UI Automation for Credential Theft

July 29th, 2025

High

Our Cyber Threat Intelligence Unit has identified an active malware campaign involving a new threat called “Coyote,” targeting Windows systems. Coyote is the first observed malware in the wild to abuse Microsoft UI Automation (UIA), a framework designed for accessibility, to extract sensitive data from graphical user interfaces. The malware is distributed through malicious MSI installers disguised as legitimate software. Using the Squirrel Installer framework to load a malicious DLL, it executes a trusted binary (Update.exe). Once active, Coyote uses Microsoft UI Automation APIs to extract sensitive information, including login credentials, from browser windows and other UI elements.

Technical Details

  • Attack Type: Malware Campaign (Credential Theft & Reconnaissance).

  • Severity: High.

  • Delivery Method: Malicious MSI installers

  • Technique: Squirrel Installer abuse, DLL sideloading (appR.dll via Update.exe)

  • Malware Name: Coyote.

The MSI installer is disguised as a legitimate application (e.g., “QuickPrinter”) that uses Squirrel, a legitimate Windows installer and updater framework, to install the application. During installation, it sideloads a malicious DLL (appR.dll) into the application directory. This DLL is executed by a legitimate binary (Update.exe) included in the Squirrel framework. The malware conducts system reconnaissance, credential harvesting, and data exfiltration. It communicates with attacker-controlled infrastructure for command and control (C2).

Image by ThisisEngineering

Impact

  • Harvesting of credentials from browsers and system stores.

  • Unauthorized access to sensitive applications and accounts.

  • Potential long-term persistence via abuse of trusted installer mechanisms.

  • Exposure of data from targeted sectors, including finance and crypto.

  • Abuse of legitimate frameworks (e.g., Squirrel, UIA) to bypass security controls.

Detection Method

  • Monitor for unusual MSI executions, especially those using Squirrel installers.

  • Detect DLL sideloading patterns in Squirrel-related directories.

  • Alert on non-standard processes invoking UIAutomationCore.dll.

  • Review for anomalous C2 traffic patterns from newly installed apps.

  • Use behavioral EDR rules to flag suspicious installer or UI scraping activity.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Restrict software installations to vetted sources using application allowlisting.

  • Audit and monitor use of accessibility frameworks (UIA) by non-accessibility processes.

  • Segment networks to reduce lateral movement from compromised endpoints.

  • Harden Squirrel-based applications by validating loaded DLLs.

  • Enable MFA across high-value accounts to reduce the impact of credential compromise.

  • Conduct user education on risks of executing unknown installers.

Conclusion

The Coyote malware campaign demonstrates how threat actors are adapting their tactics to exploit trust in legitimate software frameworks. By using tools like the Squirrel Installer, Coyote bypasses traditional security measures and delivers malicious payloads in a subtle, modular way. To defend against such abuse, we urge organizations to adopt a zero-trust approach to software installations, especially those from external or unverified sources. Proactive monitoring, behavioral detection, and strict application control policies are essential to identify and counter these emerging threats.

bottom of page