Copy
Trading Bots
Events
More

OkoBot malware steals crypto wallet seed phrases via app injection

2026/07/15 23:30Browse 0

A new malware framework called OkoBot has been targeting cryptocurrency hardware wallet users since April 2025, with a dedicated module named SeedHunter that injects fake recovery phrase pages into legitimate Ledger and Trezor desktop applications. According to a report published Wednesday by Kaspersky's GReAT team, the malware has infected hundreds of victims across more than 25 countries, with the largest concentrations in Brazil, Vietnam, Canada, Mexico, and Türkiye. The framework remains active as of the report's July 15 cutoff.

How SeedHunter works

SeedHunter operates by hooking into the Electron internals of Trezor Suite, Ledger Wallet, or Ledger Live after OkoBot infects a Windows machine. It communicates with a command-and-control server at moonsand[.]store and can be configured to wait for a physical device to be plugged in before displaying the phishing page. When the "Wait" flag is set, SeedHunter monitors USB connections by vendor and product ID, only drawing the fake recovery page after detecting a real Ledger or Trezor. Without the flag, the page appears immediately. The typed seed phrase is captured via a hooked console logging function and exfiltrated as JSON, with an RC4-encrypted copy saved to a temporary file.

Kaspersky notes that the hardware wallet itself remains uncompromised — it refuses to disclose the private key — but the companion software can be tricked into asking the user for the phrase. While similar techniques have been seen before, including macOS stealers that swap out Ledger Live and Windows malware like GlassWorm that kills the real app and opens a fake window, SeedHunter is novel because it leaves the legitimate application running and draws the phishing page inside it.

Infection vectors and full attack chain

OkoBot spreads through two primary methods: a ClickFix lure and trojanized software hosted on GitHub. One repository that remained live from late March to June 2025 advertised SQL Server Management Studio but actually shipped a modified version of the audio editor Audacity with a malicious implant inside one of its libraries. Both paths lead to TookPS, a PowerShell downloader first observed in March 2025 riding fake DeepSeek pages and business-software download sites.

TookPS installs an SSH server, forwards the local SSH daemon port to an attacker-controlled server, and waits for an automated SSH bot to connect through the tunnel. The bot inventories the system, including installed antivirus, and exfiltrates wallet files, cookies, browser profiles, and credentials. It then silences Windows Defender notifications, opens the firewall for inbound RDP, adds an account to the Remote Desktop Users group, replaces termsrv.dll with a patched version allowing concurrent RDP sessions, and registers a scheduled task named "Apple Sync" that rebuilds the reverse SSH tunnel every hour.

Subsequent modules arrive over SFTP. A VMProtect-packed launcher called HDUtil executes them and can elevate privileges silently using a Windows RPC UAC bypass documented by Project Zero in 2019. The final payload is delivered via Volume2, an open-source utility carrying a malicious protobuf.dll that decrypts and starts a plugin dispatcher polling its C2 every 20 seconds. One of the five plugins recovered by Kaspersky is a process injector that places SeedHunter into the target wallet app.

Surveillance capabilities and attribution

Beyond seed phrase theft, OkoBot includes extensive surveillance features. The OkoSpyware component monitors for over 100 executables, including Exodus and 1Password, records matching windows to MP4 using a bundled FFmpeg, and logs keystrokes. Browser titles are regex-matched to capture tabs from MetaMask or Tonkeeper. A keylogger covers input, clipboard, and USB devices, taking screenshots every five minutes. A loader installs hidden Chromium extensions with full permissions, specifically deploying Rilide, a Chromium stealer used by Russian-speaking threat actors since April 2023.

Kaspersky declined to attribute the campaign to any known crimeware actor. The first-stage PowerShell servers return empty responses to Russian and CIS IPs, and Rilide circulates on invitation-only Russian-speaking forums. The SeedHunter phishing pages contain Russian comments, but the report treats these as soft signals. Notably, the malware has already evolved: a newer version seen in March 2026 consolidates the HDUtil-to-extl-to-Rilide chain into a single dispatcher plugin, and Volume2 now arrives directly from TookPS, suggesting active development rather than abandonment.

Detection and mitigation

There is no vulnerability in the hardware wallets themselves, and no vendor patch can close this attack vector — it relies on endpoint compromise. Kaspersky recommends hunting for indicators including a scheduled task named "Apple Sync," files at %PROGRAMDATA%\hwid.dat and %PROGRAMDATA%\HDVideo\HDUtil.exe, a modified termsrv.dll, unauthorized accounts in Remote Desktop Users, outbound SSH from user endpoints, and hidden Chromium extensions. Ledger and Trezor both state that legitimate software never asks users to type their recovery phrase outside of specific device-initiated flows; a recovery page that appears solely because a device was plugged in, with no corresponding prompt on the device screen, is a clear red flag.

Disclaimer: This page may contain third-party information and does not necessarily reflect BYDFi's views or opinions. This content is for general reference only and does not constitute any representation, warranty, financial advice, or investment advice. BYDFi is not responsible for any errors, omissions, or any results arising from the use of such information. Virtual asset investments involve risks. Please carefully evaluate the risks of the product and your risk tolerance based on your financial situation. For more information, please refer to our Terms of Use and Risk Disclosure.