HomeCyber BalkansOkoBot Malware Exploits ClickFix and SeedHunter to Steal Seed Phrases from Ledger...

OkoBot Malware Exploits ClickFix and SeedHunter to Steal Seed Phrases from Ledger and Trezor Devices

Published on

spot_img

A newly identified malware framework known as OkoBot has emerged, specifically targeting cryptocurrency users through a sophisticated multi-stage intrusion chain. This malicious framework is engineered to capture sensitive information such as recovery phrases from popular cryptocurrency wallets like Ledger and Trezor, along with browser credentials, wallet files, screenshots, keystrokes, and application video recordings. Cybersecurity researchers have highlighted the potential severity of this threat in light of the increasing vulnerabilities in the cryptocurrency ecosystem.

The OkoBot campaign was first detected in January 2026, although its initial downloader component, referred to as TookPS, has been operational since March 2025. This advanced malware suite has evolved into a modular platform that boasts over 20,000 payloads and implants, enabling attackers to deploy various capabilities through a remote attacker-controlled SSH (Secure Shell) infrastructure.

The process of initial compromise typically involves ClickFix social-engineering attacks and the use of trojanized applications, which are often hosted on GitHub. In a notable example of this tactic, attackers managed to create a counterfeit repository of Microsoft SQL Server Management Studio (SSMS), which ranked prominently in search results, misleading potential victims. The download that users believed was the SSMS file was, in fact, a legitimate Audacity application that had been repackaged with a malicious library implant, ultimately executing TookPS upon installation.

Upon execution, the TookPS component installs an SSH service to establish a tunnel to the attacker’s infrastructure, subsequently forwarding the local SSH daemon port. Following this initial breach, an automated bot connects through the established tunnel, allowing it to inventory the compromised system. It identifies installed security software, collects browser profiles, cookies, credentials, and cryptocurrency wallet files, thereby setting the stage for further exploitation.

The actors behind this sophisticated framework go to great lengths to maintain persistent access to infected devices. They do this by enabling remote graphical access, which involves altering inbound RDP (Remote Desktop Protocol) firewall rules. This process includes creating a user in the Remote Desktop Users group, modifying the termsrv.dll file to permit concurrent sessions, and establishing a scheduled task labeled “Apple Sync.” This task is critical as it ensures the continued functionality of a reverse SSH tunnel for managing RDP traffic, thereby reducing dependence on traditional command-and-control channels.

A significant element associated with the original OkoBot chain is HDUtil, a launcher protected by VMProtect, which deploys additional payloads while also being capable of bypassing User Account Control mechanisms through Windows RPC and the auto-elevated msconfig.exe binary. Kaspersky, a well-regarded cybersecurity firm, has linked OkoBot’s activities to an evolving TookPS operation, originally tied to malicious PowerShell scripts that facilitated infostealing and established SSH tunnels on compromised Windows systems.

Additionally, OkoBot has been known to inject a browser-extension loader into Chromium-based browsers. This malicious loader installs harmful .crx extensions, granting their requested permissions while suppressing UI elements that might reveal their malicious nature to unsuspecting victims. Kaspersky has also identified that the framework deploys Rilide, a browser stealer explicitly targeting cryptocurrency users, adept at harvesting credentials, cookies, and other financial information.

One of the most alarming components included in the OkoBot framework is an implant called SeedHunter. This particular malware targets Electron-based applications such as Ledger Live and Trezor Suite. It injects code into the wallet processes and hooks internal functions, making it capable of presenting fraudulent recovery pages. Depending on a command-and-control response from a specified endpoint, SeedHunter may display a phishing prompt immediately or wait until it detects a connected Ledger or Trezor USB device by its vendor and product identifiers.

Upon capture of a legitimate seed phrase entered by an unsuspecting victim, SeedHunter validates this information and exfiltrates the data encapsulated in a JSON payload, which contains crucial details such as wallet type, device information, and the hardware identifiers alongside the seed phrase itself. Furthermore, the malware retains an RC4-encrypted local copy in the temporary directory, using a unique victim hardware identification number as the encryption key.

OkoBot’s arsenal includes additional plugins such as MC Keylogger, which records clipboard contents, USB device connections, and takes screenshots. Another plugin, OkoSpyware, is designed to record keystrokes and MP4 video streams from wallet applications, password managers, and selected browser wallet-extension windows. The data collected is sent to a specified endpoint while local files and PowerShell history are purged to cover the malware’s tracks.

Kaspersky’s research indicates that this malware has affected hundreds of victims across 25 countries, with the most affected regions being Brazil, Vietnam, Canada, Mexico, and Türkiye. Although the operation’s attribution has not been conclusively established, indicators such as Russian-language comments in SeedHunter phishing templates and the use of Rilide suggest possible links to Russian-speaking cybercriminal networks.

In light of these developments, organizations and cryptocurrency users are urged to treat unexpected wallet recovery prompts with skepticism, as legitimate software from Ledger and Trezor does not request seed phrases through desktop pop-ups. Users are also advised to avoid executing any terminal commands copied from ClickFix pages, verify software downloads via official channels, and scrutinize Windows endpoints for unauthorized SSH services, modifications to termsrv.dll, reverse tunnels, and the Apple Sync scheduled task. Developing awareness and implementing these precautionary measures can help mitigate the risks associated with the OkoBot malware.

Source link

Latest articles

Why AI in Healthcare Requires Enhanced Data Oversight

Attorney Jordan Cohen of Akerman Addresses AI Challenges in Healthcare In a rapidly evolving landscape...

When 80,000 Fans Log On at Once: Unique Cybersecurity Issues of the 2026 World Cup

In light of the imminent 2026 World Cup, which will unfold across sixteen cities...

NPM Ecosystem Faces Two New Supply Chain Compromises

Malicious Code Discovered in npm Packages: A Growing Threat In a troubling development within the...

Eleven Vulnerable UEFI Shims Allow Secure Boot Bypass

Vulnerabilities in Microsoft-Signed UEFI Shims Pave the Way for Attacks Recent findings from cybersecurity research...

More like this

Why AI in Healthcare Requires Enhanced Data Oversight

Attorney Jordan Cohen of Akerman Addresses AI Challenges in Healthcare In a rapidly evolving landscape...

When 80,000 Fans Log On at Once: Unique Cybersecurity Issues of the 2026 World Cup

In light of the imminent 2026 World Cup, which will unfold across sixteen cities...

NPM Ecosystem Faces Two New Supply Chain Compromises

Malicious Code Discovered in npm Packages: A Growing Threat In a troubling development within the...