1) The fact A new malicious framework called OkoBot is delivering over 20 payloads in attacks focused on stealing cryptocurrency wallet seed phrases, credentials, and other sensitive data. Identified by Kaspersky, OkoBot reaches victims via ClickFix attacks or malicious GitHub repositories pretending to host legitimate software tools. In one case, a repository claimed to offer SQL Server Management Studio (SSMS) but actually dropped a trojanized version of the Audacity audio editing tool instead.
2) Context The OkoBot campaign has been active for over a year, evolving from earlier TookPS PowerShell script activities with a completely revamped infection chain. The SSH bot collects system information (username, antivirus software, IP address, OS version), disables Windows Defender notifications, and harvests cryptocurrency wallet files, browser cookies, and account credentials. Among the 20 modules, the most notable include: ext daemon (injects malicious Chrome extensions like Rilide targeting credentials and financial data), SeedHunter (injects into Trezor Suite and Ledger Live to display fake seed-recovery screens designed to steal wallet recovery phrases), MC Keylogger (records keystrokes and clipboard activity every 5 minutes, monitors USB connections, and takes screenshots), and OkoSpyware (monitors 100 programs including wallets and password managers, recording video via FFmpeg). Most victims are in Brazil, followed by Vietnam, Canada, Mexico, and Turkey.
3) Analysis OkoBot represents an unprecedented professionalization of crypto-focused cybercrime. The combination of social engineering (ClickFix + fake GitHub repos), multi-stage infection chains, and 20 specialized modules creates a resilient attack ecosystem that is difficult to combat with traditional signature-based defenses. The SeedHunter module is particularly dangerous: wallet recovery seed phrases grant full access to cryptocurrency assets with no possibility of reversal or fund recovery — once stolen, the funds are gone forever. The geographic focus on Brazil as the primary target suggests language-specific targeting or exploitation of particular vulnerabilities in the Brazilian cryptocurrency market. The geoblocking of Russian and CIS IPs at command servers indicates likely post-Soviet origin, corroborated by Russian-language comments in SeedHunter's source code and the promotion of the infostealer on invitation-only Russian cybercrime forums.
4) What to watch • Trezor and Ledger users are direct targets — be suspicious of unsolicited seed recovery screens appearing within wallet software. • Developers should verify GitHub repository authenticity before downloading any tools or utilities. • The TookPS-to-OkoBot evolution shows older campaigns are constantly re-engineered and can remain active for years. • Brazil as the primary target suggests localized phishing campaigns in Portuguese — Brazilian crypto users should be especially vigilant.
Source: BleepingComputer