Cybersecurity researchers at Kaspersky have uncovered a sophisticated malware framework known as OkoBot that has been targeting Windows systems since April 2025, with one of its key modules specifically designed to steal cryptocurrency wallet recovery phrases. According to a technical analysis published by Kaspersky’s Global Research and Analysis Team (GReAT), the malware injects malicious phishing pages directly into legitimate desktop applications used by Ledger and Trezor hardware wallets, making the fake prompts appear as though they originate from the authentic software. Researchers reported that the campaign has affected hundreds of users across more than 25 countries, with the highest number of detected victims located in Brazil, Vietnam, Canada, Mexico, and Türkiye. While Kaspersky confirmed widespread infections, it did not disclose how many users actually entered their recovery phrases. The researchers also noted that OkoBot remains active, with the latest observations included in a report released on July 15, 2026.
One of the most concerning components of the framework is a module called SeedHunter, which monitors infected systems for applications including Trezor Suite, Ledger Wallet, and Ledger Live. Once detected, the malware injects itself into the Electron based applications and communicates with its command and control server at moonsand[.]store. If instructed through a server side “Wait” flag, SeedHunter silently scans connected USB devices by vendor and product identification numbers and waits until a genuine Ledger or Trezor hardware wallet is plugged into the computer. It then displays a hard coded recovery phrase page that closely resembles the wallet software interface. If the flag is disabled, the phishing page appears immediately after the malware detects the application. Any recovery phrase entered by the victim is intercepted through the application’s modified logging functions, packaged into JSON format, and stored in an RC4 encrypted temporary file before being transmitted to the attackers. Kaspersky emphasized that the hardware wallets themselves remain secure because they never reveal private keys. Instead, the attackers manipulate the trusted desktop software environment to convince victims to voluntarily disclose their recovery phrases. Researchers also noted similarities with previous campaigns involving cloned Ledger Live applications on macOS and GlassWorm attacks on Windows, but said SeedHunter differs by injecting phishing pages directly inside the legitimate application instead of replacing or closing it.
Kaspersky identified two primary infection methods used by the attackers. One relies on ClickFix lures, while the other distributes trojanized software through GitHub repositories. In one case analyzed by the researchers, a repository advertised Microsoft SQL Server Management Studio but actually delivered a modified version of the Audacity audio editor containing a malicious library. The repository remained active from late March until June 2025. Both infection methods deploy a PowerShell downloader called TookPS, previously observed in campaigns involving fake DeepSeek websites and fraudulent business software download portals. TookPS installs an SSH service, establishes communication with an attacker controlled server, forwards the local SSH port, and allows an automated bot to reconnect through the tunnel. Once access is established, attackers collect browser profiles, wallet files, credentials, cookies, and system information, while also disabling Windows Defender notifications through registry modifications. The malware further enables remote desktop access by modifying firewall rules, adding accounts to the Remote Desktop Users group, replacing the Windows termsrv.dll file to allow concurrent Remote Desktop Protocol sessions, and creating a scheduled task named Apple Sync that rebuilds a reverse SSH tunnel every hour. Additional payloads are delivered through SFTP using a VMProtect packed launcher known as HDUtil, which silently elevates privileges through a Windows RPC User Account Control bypass previously documented by Google Project Zero. The final stage delivers Volume2, an open source utility carrying a malicious protobuf.dll that decrypts and launches a plugin dispatcher. Kaspersky recovered five plugins, including a process injector responsible for deploying SeedHunter onto compromised systems.
Beyond cryptocurrency theft, OkoBot also includes extensive surveillance capabilities. Its OkoSpyware component monitors more than 100 applications, including Exodus and 1Password, records matching application windows as MP4 videos using a bundled FFmpeg package, captures keystrokes, monitors clipboard activity and USB devices, and automatically takes screenshots every five minutes. Browser titles are scanned using regular expressions to identify cryptocurrency related tabs such as MetaMask and Tonkeeper, while hidden Chromium extensions with full permissions are installed, including the Rilide browser stealer previously associated with Russian speaking cybercriminal groups. Although Kaspersky stated it could not confidently attribute the campaign to a known threat actor, researchers observed that the initial PowerShell infrastructure returned empty responses to Russian and CIS IP addresses, while the phishing pages contained comments written in Russian. Kaspersky treated these as indicators rather than definitive attribution. The report also highlighted several indicators of compromise that organizations can use to identify infections, including the Apple Sync scheduled task, modified termsrv.dll files, suspicious outbound SSH traffic, unexpected accounts in the Remote Desktop Users group, hidden browser extensions, and files such as %PROGRAMDATA%\hwid.dat, %PROGRAMDATA%\HDVideo\HDUtil.exe, and %USERPROFILE%.ssh\go.bat. Ledger reiterated that users should never enter their recovery phrase anywhere except on their Ledger device, while Trezor reminded customers that Trezor Suite will never request a backup phrase unless the hardware wallet itself initiates the recovery process. Kaspersky also observed that a March 2026 update streamlined the malware by replacing its previous HDUtil, extl, and Rilide delivery chain with a unified dispatcher plugin, indicating that the operators continue to actively maintain and refine the malware framework.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.