OkoBot malware steals cryptographic seed phrases in over 25 nations, Kaspersky warns

  • OkoBot makes use of over 20 malicious modules to steal cryptographic seed phrases, pockets credentials, and browser information.
  • The malware spreads via ClickFix assaults and faux GitHub software program, focusing on customers in over 25 nations.
  • SeedHunter replaces the pockets restoration display with a phishing web page to steal Ledger and Trezor seed phrases.

A newly found malware framework referred to as OkoBot targets cryptocurrency customers. In accordance with cybersecurity agency Kaspersky, it could possibly steal seed phrases, pockets credentials, browser information, and different delicate info via greater than 20 malicious modules.

This marketing campaign has been working for over a 12 months. Unfold via social engineering assaults and faux software program downloads. Researchers stated they’ve already focused tons of of customers in additional than 25 nations. The best casualties have been reported in Brazil, Vietnam, Canada, Mexico, and Turkiye.

Faux software program and ClickFix assaults unfold OkoBot

In accordance with Kaspersky Lab’s International Analysis and Evaluation Crew (GReAT), OkoBot primarily spreads via ClickFix assaults. This social engineering method tips customers into manually executing malicious instructions. The malware additionally spreads via pretend GitHub repositories that masquerade as reliable software program.

In a single case, researchers found a pretend installer masquerading as Microsoft’s SQL Server Administration Studio (SSMS). As an alternative of putting in SSMS, a trojanized model of the Audacity audio editor was delivered.

After execution, the malware runs a PowerShell script referred to as TookPS. This script installs an SSH bot that collects system info resembling username, antivirus particulars, working system info, IP tackle, and cryptocurrency pockets information. It additionally disables Home windows Defender notifications and steals browser cookies and login credentials.

SeedHunter steals restoration phrases from {hardware} pockets customers

One in all OkoBot’s most harmful modules is SeedHunter, which targets {hardware} pockets software program.

This malware injects malicious code into Trezor Suite, Ledger Pockets, and Ledger Dwell. Replaces the reliable restoration display with a pretend phishing web page designed for every pockets. Customers trying to recuperate their wallets are requested to enter a seed phrase, unknowingly giving attackers full entry to their crypto property.

Kaspersky warned that after a seed phrase is stolen, an attacker can rapidly transfer funds to wallets they management. It’s often inconceivable to recuperate stolen cryptocurrencies.

Adware screens pockets and browser exercise

Researchers recognized a number of different modules used within the marketing campaign.

The OkoSpyware module information keystrokes and captures video of cryptocurrency pockets home windows utilizing FFmpeg. One other element, MC Keylogger, collects keystrokes, clipboard contents, screenshots, USB connection exercise, copied pictures, and file paths.

One other module generally known as the ext daemon targets Chromium-based browsers. Injects malicious code to silently set up the Rilide browser extension. This enables attackers to steal browser credentials, cookies, monetary info, and cryptocurrency-related information.

The marketing campaign remains to be ongoing, with builders being the primary targets.

Kaspersky stated it has technical proof that the marketing campaign has been lively since at the least mid-2025. Researchers imagine this malware remains to be below lively growth, indicating that it continues to evolve.

Researchers have been unable to confidently hyperlink this assault to any recognized cybercrime group. Nevertheless, some strategies and code artifacts are just like these utilized by Russian-speaking attackers. On the similar time, entry to the server internet hosting the malware’s preliminary PowerShell script is blocked for IP addresses in Russia and Commonwealth of Impartial States (CIS) nations.

“The OkoBot marketing campaign has been lively for greater than a 12 months and remains to be ongoing as of July 2026,” stated Dmitry Galov, Head of Russia and CIS Unit at Kaspersky GReAT.

Galov added that builders appear to be the primary goal. Attackers rely closely on pretend GitHub repositories and malicious software program downloads to distribute malware.

Kaspersky urged customers to solely obtain software program from trusted sources and keep away from working code from unverified repositories. The corporate additionally recommends enabling safety software program, storing seed phrases in a devoted password supervisor somewhat than notes or photograph gallery, and enabling multi-factor authentication every time attainable.

Associated: SlowMist warns macOS malware might hijack Telegram and exchange cryptocurrency pockets app

Disclaimer: The knowledge contained on this article is for informational and academic functions solely. This text doesn’t represent monetary recommendation or recommendation of any form. Coin Version shouldn’t be accountable for any losses incurred on account of the usage of the content material, merchandise, or companies talked about. We encourage our readers to conduct due diligence earlier than taking any motion associated to our firm.