Introduction to OkoBot Malware
A sophisticated malware framework, known as OkoBot, has been targeting Windows systems since April 2025, aiming at cryptocurrency hardware wallet users. The malware attempts to steal recovery phrases from users of Ledger and Trezor wallets.
Kaspersky’s Global Research and Analysis Team (GReAT) reported the malware is active in over 25 countries, with Brazil, Vietnam, Canada, Mexico, and Türkiye seeing the highest number of affected users. The malware exploits legitimate wallet software to execute its attack.
How SeedHunter Operates
One of OkoBot’s key components is SeedHunter, a module designed to capture recovery phrases from wallet applications. Once it infiltrates a system, SeedHunter monitors for applications like Trezor Suite and Ledger Live, injecting itself into these programs.
The module connects to a server, moonsand[.]store, and waits for a real Ledger or Trezor device to be connected. Upon detection, it displays a fake recovery phrase request page within the authentic application, deceiving users into typing their sensitive information.
Distribution Tactics of OkoBot
OkoBot spreads through various methods, including trojanized software downloads and phishing lures. For example, a GitHub repository falsely advertised SQL Server Management Studio but delivered a compromised version of Audacity embedded with malicious code.
Another distribution path involves TookPS, a PowerShell downloader, which facilitates the installation of additional malware components and establishes a connection to attacker-controlled servers, allowing further data exfiltration and system control.
Security Implications and Recommendations
The OkoBot framework deploys numerous surveillance tools, including keyloggers and video recording software, to monitor user activity and capture sensitive information. It also manipulates system configurations to maintain persistence and evade detection.
Users are advised to be vigilant and avoid entering recovery phrases unless prompted by their hardware device. Regularly updating software, using trusted download sources, and employing robust security solutions can mitigate the risk of infection.
Conclusion and Future Outlook
With no specific vulnerabilities in the hardware wallets themselves, the focus remains on securing endpoints and software environments. As cybercriminal tactics evolve, staying informed and adopting comprehensive security measures is crucial for safeguarding digital assets.
