Advertisement
Cyber Crime

OkoBot Injects Phishing Into Wallets

A sophisticated Windows malware framework is compromising cryptocurrency wallets by injecting fake recovery prompts into desktop apps.

··2 hours ago·2 min read
silver and black round emblem
Photo by Jievani Weerasinghe on Unsplash
Advertisement

A persistent malware framework known as OkoBot has been systematically targeting Windows systems since April 2025, operating with a specific focus on compromising cryptocurrency holdings. Rather than attempting to break the underlying security of hardware devices, the attackers utilize a module called SeedHunter to hijack the legitimate desktop applications used to manage those wallets.

Tactical In-App Phishing

Once the framework infects a machine, it monitors for the presence of Trezor Suite, Ledger Wallet, or Ledger Live. By hooking into the Electron internals of these applications, the malware can display a fake recovery phrase entry page directly within the trusted interface of the software. When the C2 server at moonsand[.]store sends a specific flag, the malware monitors USB connections and waits for the victim to plug in their hardware wallet before presenting the malicious prompt.

The threat highlights a critical distinction in modern security: while the hardware wallet itself remains secure and refuses to export keys, the companion software can be manipulated. Because the phishing page appears within the legitimate application window, unsuspecting users may be tricked into providing their sensitive recovery phrases, which are then transmitted to the attackers.

Complex Infection Chains

The attackers employ sophisticated delivery methods, including ClickFix lures and trojanized software hosted on GitHub, such as a malicious version of Audacity disguised as SQL Server Management Studio. Once initial access is gained, the system is further compromised via TookPS, a PowerShell downloader that establishes persistent SSH tunnels and reconfigures the host to allow remote access.

we can't attribute this malicious campaign to any known crimeware actor.

— Kaspersky's GReAT team, regarding the unknown origin of the OkoBot campaign

The framework also integrates extensive surveillance capabilities through additional modules. These include the MC Keylogger, which captures input and clipboard data, and the deployment of Rilide, a well-known Chromium stealer. The infection chain is highly automated, utilizing a VMProtect-packed launcher and RPC UAC bypasses to maintain elevated privileges on the target machine.

The Indicators of Compromise

  • A scheduled task named Apple Sync running hourly.
  • Altered versions of termsrv.dll used to enable unauthorized concurrent RDP sessions.
  • Unexplained accounts added to the Remote Desktop Users group.
  • Files located at %PROGRAMDATA%\hwid.dat and %PROGRAMDATA%\HDVideo\HDUtil.exe.
  • Hidden browser extensions that do not appear in the standard extension management menu.

Defending the Endpoint

Because these attacks target the endpoint software rather than the hardware device, there is no vendor patch that can address this vulnerability. Security professionals and end-users should maintain vigilance regarding the specific artifacts left by this framework, such as unauthorized outbound SSH connections originating from user workstations.

Ultimately, this campaign underscores the necessity of strictly following hardware vendor guidelines. Legitimate wallet software will not ask for recovery phrases outside of specific, device-verified workflows. If an application demands a recovery phrase simply because a device was plugged in—without the device screen specifically requesting it—users should consider that a definitive sign of compromise.

#malware#cryptocurrency#phishing#windows#infostealer

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement