OkoBot: New Malicious Framework Steals Crypto Wallets and Data

Photo: BleepingComputer
Quick answer
OkoBot is a malicious framework distributing 20 payloads to steal cryptocurrency seed phrases, logins, cookies, and other sensitive information.
Kaspersky experts have uncovered the OkoBot malicious platform, which distributes over 20 modules to steal cryptocurrency wallets, login credentials, and other sensitive user data. Cybercriminals leverage ClickFix phishing attacks and fake GitHub repositories disguised as legitimate software. For example, one such repository offered an infected version of the Audacity audio editor masquerading as SQL Server Management Studio.
The OkoBot campaign, active since January 2025, evolved from the TookPS script attack. The malware now employs a multi-stage infection chain, beginning with an SSH bot that disables Windows Defender notifications, collects system data (username, antivirus, IP address, OS version), and steals cryptocurrency wallet files, browser cookies, and login credentials.
Among OkoBot's most dangerous modules are: ext daemon/extl.exe, which injects into Chrome to silently install extensions like Rilide (stealing logins, cookies, and financial data); SeedHunter, which replaces Trezor Suite and Ledger interfaces with fake seed phrase recovery screens; MC Keylogger, which records keystrokes, clipboard content, and takes screenshots every 5 minutes. Another notable module, OkoSpyware, monitors 100 applications, including crypto wallets and password managers, and records video from their windows.
According to Kaspersky, most OkoBot victims are in Brazil, Vietnam, Canada, Mexico, and Turkey, though the attacks are global in scope. The attackers' servers block requests from Russian and CIS IP addresses, and Russian-language comments found in the SeedHunter module, along with the use of an infostealer promoted on Russian-speaking forums, suggest possible involvement of Russian-speaking cybercriminals.
Common questions
- What is OkoBot?
- OkoBot is a malicious framework used to steal cryptocurrency wallets, login credentials, and other sensitive data. It spreads via phishing and fake GitHub repositories.
- How does OkoBot work?
- Attackers deploy malware through a multi-stage infection chain, starting with an SSH bot that disables Windows Defender alerts, collects system data, and steals cryptocurrency wallet files, browser cookies, and credentials. Subsequent modules target specific data, including seed phrases.
- Who are the primary victims of OkoBot?
- Most victims are located in Brazil, Vietnam, Canada, Mexico, and Turkey, though the campaign has global reach. Attackers' servers block requests from Russian and CIS IP addresses, and Russian-language comments in the SeedHunter module suggest possible involvement of Russian-speaking cybercriminals.
Dzen feed: /feed/dzen.xml · RSS: /feed.xml