A newly documented malware framework dubbed OkoBot is targeting cryptocurrency users with a multi-stage intrusion chain designed to capture Ledger and Trezor recovery phrases, browser credentials, wallet files, keystrokes, screenshots, and application video recordings.
Researchers first observed the activity in January 2026, although the campaign’s TookPS downloader component has been active since March 2025.
The latest framework expands that activity into a modular platform containing more than 202020 payloads and implants, allowing operators to deploy capabilities through an attacker-controlled SSH infrastructure remotely.
The initial compromise occurs through ClickFix social-engineering attacks and trojanized applications hosted on GitHub. In one observed case, attackers created a fake Microsoft SQL Server Management Studio repository that ranked prominently in search results.
The supposed SSMS download was actually a legitimate Audacity application repackaged with a malicious library implant, giving the file an appearance of legitimacy while executing TookPS.
Once launched, TookPS installs an SSH service, establishes a tunnel to attacker infrastructure, and forwards the local SSH daemon port.
An automated bot then connects through the tunnel, inventories the system, identifies installed security software, collects browser profiles, cookies, credentials, and cryptocurrency wallet files, and prepares the device for deeper compromise.
The threat actors also enable remote graphical access by opening inbound RDP firewall rules, creating a user in the Remote Desktop Users group, patching termsrv.dll to permit concurrent sessions, and creating a scheduled task named Apple Sync to maintain a reverse SSH tunnel for RDP traffic.
This gives operators persistent, interactive access while reducing reliance on traditional command-and-control channels.
OkoBot Malware Uses ClickFix
A central component of the original OkoBot chain is HDUtil. This VMProtect-protected launcher deploys further payloads and can bypass User Account Control through Windows RPC and the auto-elevated msconfig.exe binary.
Kaspersky said in a report shared with GBhackers, linked OkoBot to an evolving TookPS operation, first associated with malicious PowerShell scripts that delivered infostealers and established SSH tunnels on compromised Windows systems.

The launcher supports execution, process enumeration, graphics-adapter discovery, file copying, and optional elevated execution under a local administrator account.
OkoBot previously injected a browser-extension loader into Chromium-based browsers. The loader installs malicious .crx extensions, grants their requested permissions, and suppresses browser UI elements that would otherwise expose them to victims.
Kaspersky observed the framework deploying Rilide, a cryptocurrency-focused browser stealer known for harvesting credentials, cookies, and financial data.
The most concerning implant, SeedHunter, targets the Electron-based Ledger Live, Ledger Wallet, and Trezor Suite applications. It injects into the wallet processes and hooks internal Electron functions to present fake recovery pages.
Depending on a command-and-control response from moonsand[.]store, the phishing prompt either appears immediately or waits until the malware detects a connected Ledger or Trezor USB device through vendor and product identifiers.
A JSON payload containing the Wait flag. If this flag is set to true, the malware initiates periodic USB device scans filtered by VID and PID (Vendor and Product ID).

When a victim enters a seed phrase, SeedHunter validates it and exfiltrates it in a JSON payload containing wallet type, device information, hardware identifiers, and the recovered phrase.
The malware also stores an RC4-encrypted local copy in the temporary directory as sh_
Other OkoBot plugins include MC Keylogger, which logs clipboard contents, USB devices, and screenshots, and OkoSpyware, which records keystrokes and MP4 video streams from wallet applications, password managers, and selected browser wallet-extension windows.
Collected artifacts are sent to an ir-post.php endpoint before local files and PowerShell history are removed.
Kaspersky detected hundreds of victims across more than 252525 countries, with Brazil, Vietnam, Canada, Mexico, and Türkiye accounting for the largest share.
The researchers said the operation cannot yet be conclusively attributed, but Russian-language comments in SeedHunter phishing templates, Rilide usage, and CIS geoblocking point to possible links with Russian-speaking cybercrime ecosystems.
Organizations and crypto users should treat unexpected wallet recovery prompts as malicious, since legitimate Ledger and Trezor software does not request a seed phrase through a desktop pop-up.
Users should also avoid copied terminal commands from ClickFix pages, verify software downloads through official vendor channels, and review Windows endpoints for unauthorized SSH services, modified termsrv.dll, reverse tunnels, and the Apple Sync scheduled task.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide

