New OkoBot Framework Deploys 20 Payloads to Steal Data, Crypto

▼ Summary
– OkoBot is a malicious framework delivering over 20 payloads to steal cryptocurrency wallet seed phrases, credentials, and other sensitive data.
– It spreads through ClickFix attacks and fake GitHub repositories, such as one offering SQL Server Management Studio but dropping a trojanized Audacity tool.
– The infection chain uses the TookPS PowerShell script to install an SSH bot that collects system details, harvests browser cookies, and disables Windows Defender notifications.
– Key modules include SeedHunter, which displays fake seed-recovery screens for crypto wallets, and MC Keylogger, which records keystrokes and takes screenshots every 5 minutes.
– Most victims are in Brazil, and evidence like Russian comments in code and geoblocking of CIS IPs suggests a Russian-speaking threat actor.
A newly identified malicious framework, OkoBot, is actively distributing over 20 payloads in a campaign designed to steal cryptocurrency wallet seed phrases, login credentials, and other sensitive information. The attackers lure victims through ClickFix attacks and fraudulent GitHub repositories that masquerade as legitimate software tools.
In one documented instance, a repository claimed to offer SQL Server Management Studio (SSMS) but instead delivered a trojanized version of the Audacity audio editing tool. According to researchers at cybersecurity firm Kaspersky, the OkoBot campaign has been active for over a year and evolved from earlier operations that deployed the malicious PowerShell script TookPS. However, the infection chain has been completely overhauled. It now involves multiple attack stages, with TookPS used in the first phase to install and configure an SSH bot that subsequently delivers the other malicious components.
The SSH bot is also responsible for collecting system details, including the username, antivirus software, IP address, and OS version. It disables Windows Defender notifications and harvests cryptocurrency wallet files, browser cookies, and account credentials.
Among the roughly 20 modules OkoBot deploys, several stand out for their specific targeting. The ext daemon/extl.exe module injects into Chrome browsers to silently install and hide malicious extensions like Rilide, which targets credentials, cookies, financial information, and cryptocurrency-related data. SeedHunter injects into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake seed-recovery screen designed to steal wallet recovery phrases. The MC Keylogger records keystrokes and clipboard activity, including copied text, images, and file paths, and can monitor for USB connections and take screenshots every five minutes. OkoSpyware monitors 100 programs, including cryptocurrency wallets and password managers, and uses FFmpeg to record video of their windows while also capturing keystrokes.
A wallet recovery phrase grants full access to a user’s cryptocurrency assets. If attackers obtain it, they can transfer the funds to wallets they control, making recovery virtually impossible.
Kaspersky’s telemetry indicates that the majority of OkoBot’s victims are in Brazil, followed by Vietnam, Canada, Mexico, and Turkey. However, the campaign has a global reach. OkoBot activity was first observed in January as an evolution of the TookPS campaign, which has been running since March 2025.
While Kaspersky has not attributed the OkoBot campaign to a specific threat actor, researchers noted that access to the servers hosting the PowerShell scripts for the initial attack stage is geoblocked. Payloads are not delivered when the IP address originates from Russia or the Commonwealth of Independent States (CIS) space, and the server returns an empty response. Additional clues pointing to a Russian-speaking threat actor include Russian comments in the source code of the SeedHunter module and the use of an infostealer actively promoted on invitation-only Russian cybercrime forums.
Kaspersky’s report includes a set of indicators of compromise, such as hashes for malicious plugins, injector payloads, SSH bot utilities, file paths, domains, and IP addresses.
(Source: BleepingComputer)