- OkoBot steals crypto seed phrases, wallet credentials, and browser data using more than 20 malicious modules.
- The malware spreads through ClickFix attacks and fake GitHub software, targeting users in over 25 countries.
- SeedHunter replaces wallet recovery screens with phishing pages to steal Ledger and Trezor seed phrases.
A newly discovered malware framework called OkoBot is targeting cryptocurrency users. According to cybersecurity firm Kaspersky, it can steal seed phrases, wallet credentials, browser data, and other sensitive information through more than 20 malicious modules.
The campaign has been active for more than a year. It spreads through social engineering attacks and fake software downloads. Researchers said it has already targeted hundreds of users across more than 25 countries. Brazil, Vietnam, Canada, Mexico, and Türkiye have reported the highest number of victims.
Fake Software and ClickFix Attacks Spread OkoBot
According to Kaspersky’s Global Research and Analysis Team (GReAT), OkoBot primarily spreads through ClickFix attacks. This social engineering technique tricks users into manually running malicious commands. The malware also spreads through fake GitHub repositories that impersonate legitimate software.
In one case, researchers found a fake installer posing as Microsoft’s SQL Server Management Studio (SSMS). Instead of installing SSMS, it delivered a trojanized version of the Audacity audio editor.
After execution, the malware runs a PowerShell script called TookPS. The script installs an SSH bot that collects system information, including usernames, antivirus details, operating system information, IP addresses, and cryptocurrency wallet data. It also disables Windows Defender notifications and steals browser cookies and login credentials.
SeedHunter Steals Recovery Phrases From Hardware Wallet Users
One of OkoBot’s most dangerous modules is SeedHunter, which targets hardware wallet software.
The malware injects malicious code into Trezor Suite, Ledger Wallet, and Ledger Live. It replaces legitimate recovery screens with fake phishing pages designed for each wallet. Users trying to recover their wallets are prompted to enter their seed phrases, unknowingly giving attackers full access to their crypto assets.
Kaspersky warned that once a seed phrase is stolen, attackers can quickly move funds to wallets they control. Recovering the stolen cryptocurrency is usually impossible.
Spyware Monitors Wallets and Browser Activity
Researchers identified several other modules used in the campaign.
The OkoSpyware module records keystrokes and captures video of cryptocurrency wallet windows using FFmpeg. Another component, MC Keylogger, collects keystrokes, clipboard contents, screenshots, USB connection activity, copied images, and file paths.
Another module, known as ext daemon, targets Chromium-based browsers. It injects malicious code to silently install the Rilide browser extension. This allows attackers to steal browser credentials, cookies, financial information, and cryptocurrency-related data.
Campaign Still Active, Developers Are Main Targets
Kaspersky said technical evidence suggests the campaign has been active since at least mid-2025. Researchers believe it remains under active development, indicating the malware continues to evolve.
The researchers could not confidently link the attacks to a known cybercriminal group. However, some techniques and code artifacts resemble those used by Russian-speaking threat actors. At the same time, access to servers hosting the malware’s initial PowerShell scripts is blocked for IP addresses from Russia and Commonwealth of Independent States (CIS) countries.
“The OkoBot campaign has been active for more than a year and remained ongoing as of July 2026,” said Dmitry Galov, Head of the Russia and CIS unit at Kaspersky GReAT.
Galov added that developers appear to be among the primary targets. The attackers rely heavily on fake GitHub repositories and fraudulent software downloads to distribute the malware.
Kaspersky urged users to download software only from trusted sources and avoid running code from unverified repositories. The company also recommends keeping security software enabled, storing seed phrases in dedicated password managers instead of notes or photo galleries, and enabling multi-factor authentication wherever possible.
Related: SlowMist Warns macOS Malware Can Hijack Telegram and Replace Crypto Wallet Apps
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.