2 min read

OkoBot pushes 20 malware modules for crypto theft

Kaspersky says OkoBot has run for more than a year, using over 20 payloads to steal seed phrases, credentials, cookies, and wallet data.

Image: BleepingComputer

A malicious framework called OkoBot is being used to deliver more than 20 payloads aimed at stealing cryptocurrency wallet seed phrases, credentials, cookies, and other sensitive data, according to Kaspersky.

The campaign reaches victims through ClickFix attacks and through malicious GitHub repositories masquerading as legitimate software. In one case cited by Kaspersky, a repository claimed to offer SQL Server Management Studio (SSMS) but instead dropped a trojanized version of Audacity.

Kaspersky says the operation has been active for more than a year and grew out of the activity that previously delivered the malicious PowerShell script TookPS. The infection chain has since been overhauled into a multi-stage attack, with TookPS now used in the opening phase to install and configure an SSH bot that fetches the rest of the malware.

The OkoBot infection chain

Source: Kaspersky

Recommended reading

One in six PCs still run Windows 10

That SSH bot also gathers system details including username, antivirus software, IP address, and OS version, while disabling Windows Defender notifications. It also steals cryptocurrency wallet files, browser cookies, and account credentials.

Among the most notable OkoBot modules are:

  • ext daemon/extl.exe: injects into Chrome to silently install and hide malicious extensions such as Rilide, which targets credentials, cookies, financial data, and cryptocurrency-related information.
  • SeedHunter: injects into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake recovery screen designed to steal wallet seed phrases.
  • MC Keylogger: captures keystrokes and clipboard contents, including copied text, images, and file paths, and can monitor USB connections and take screenshots every 5 minutes.
  • OkoSpyware: monitors 100 programs including crypto wallets and password managers, and uses FFmpeg to record video of their windows while also logging keystrokes.
Malware prompts victims to enter their seed phrase
Malware prompts victims to enter their seed phrase

Malware prompts victims to enter their seed phrase

Source: Kaspersky

Kaspersky telemetry shows most victims are in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, though the campaign is described as global. The company says OkoBot activity was first observed in January as an evolution of the TookPS campaign, which has been running since March 2025.

Kaspersky did not attribute the activity to a specific threat actor, but it noted several clues. Servers hosting the initial PowerShell scripts are geoblocked and return an empty response for IP addresses from Russia or the Commonwealth of Independent States (CIS). Researchers also found Russian comments in the source code of the SeedHunter module and observed the use of an infostealer promoted on invitation-only Russian cybercrime forums.

Kaspersky’s report includes indicators of compromise such as hashes for malicious plugins, injector payloads, SSH bot tools, file paths, domains, and IP addresses.

article image
article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading