Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
OkoBot Malware Targets Ledger, Trezor Wallets

OkoBot Malware Targets Ledger, Trezor Wallets

Posted on July 15, 2026 By CWS

Introduction to OkoBot Malware

A sophisticated malware framework, known as OkoBot, has been targeting Windows systems since April 2025, aiming at cryptocurrency hardware wallet users. The malware attempts to steal recovery phrases from users of Ledger and Trezor wallets.

Kaspersky’s Global Research and Analysis Team (GReAT) reported the malware is active in over 25 countries, with Brazil, Vietnam, Canada, Mexico, and Türkiye seeing the highest number of affected users. The malware exploits legitimate wallet software to execute its attack.

How SeedHunter Operates

One of OkoBot’s key components is SeedHunter, a module designed to capture recovery phrases from wallet applications. Once it infiltrates a system, SeedHunter monitors for applications like Trezor Suite and Ledger Live, injecting itself into these programs.

The module connects to a server, moonsand[.]store, and waits for a real Ledger or Trezor device to be connected. Upon detection, it displays a fake recovery phrase request page within the authentic application, deceiving users into typing their sensitive information.

Distribution Tactics of OkoBot

OkoBot spreads through various methods, including trojanized software downloads and phishing lures. For example, a GitHub repository falsely advertised SQL Server Management Studio but delivered a compromised version of Audacity embedded with malicious code.

Another distribution path involves TookPS, a PowerShell downloader, which facilitates the installation of additional malware components and establishes a connection to attacker-controlled servers, allowing further data exfiltration and system control.

Security Implications and Recommendations

The OkoBot framework deploys numerous surveillance tools, including keyloggers and video recording software, to monitor user activity and capture sensitive information. It also manipulates system configurations to maintain persistence and evade detection.

Users are advised to be vigilant and avoid entering recovery phrases unless prompted by their hardware device. Regularly updating software, using trusted download sources, and employing robust security solutions can mitigate the risk of infection.

Conclusion and Future Outlook

With no specific vulnerabilities in the hardware wallets themselves, the focus remains on securing endpoints and software environments. As cybercriminal tactics evolve, staying informed and adopting comprehensive security measures is crucial for safeguarding digital assets.

The Hacker News Tags:crypto theft, Cryptocurrency, cyber attack, cyber threat, Cybersecurity, hardware wallet, Kaspersky, Ledger, Malware, OkoBot, Phishing, security breach, SeedHunter, Trezor, Windows malware

Post navigation

Previous Post: Critical Vulnerability in Cursor Exposes Windows Systems
Next Post: Security Flaws Addressed by Fortinet, Ivanti, and ServiceNow

Related Posts

New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site The Hacker News
Speagle Malware Exploits Security Software for Data Theft Speagle Malware Exploits Security Software for Data Theft The Hacker News
Microsoft Office Zero-Day (CVE-2026-21509) – Emergency Patch Issued for Active Exploitation Microsoft Office Zero-Day (CVE-2026-21509) – Emergency Patch Issued for Active Exploitation The Hacker News
Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw The Hacker News
GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module The Hacker News
Active Exploitation Detected in Gladinet and TrioFox Vulnerability Active Exploitation Detected in Gladinet and TrioFox Vulnerability The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI-Powered Botnet Built in Minutes Using Gemini CLI
  • Siemens, Schneider, Rockwell Patch ICS Vulnerabilities
  • Insignary Unveils Clarity On-Demand for SBOMs Without Commitment
  • Security Flaws Addressed by Fortinet, Ivanti, and ServiceNow
  • OkoBot Malware Targets Ledger, Trezor Wallets

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI-Powered Botnet Built in Minutes Using Gemini CLI
  • Siemens, Schneider, Rockwell Patch ICS Vulnerabilities
  • Insignary Unveils Clarity On-Demand for SBOMs Without Commitment
  • Security Flaws Addressed by Fortinet, Ivanti, and ServiceNow
  • OkoBot Malware Targets Ledger, Trezor Wallets

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark