• 2 min read
OkoBot spreads 20 malware payloads for crypto theft
Kaspersky says OkoBot has run for more than a year, using ClickFix lures and fake GitHub repos to steal seed phrases, credentials, and wallet data.

Image: BleepingComputer
A malicious framework dubbed OkoBot is being used to deliver more than 20 payloads aimed at stealing cryptocurrency wallet seed phrases, credentials, cookies, and other sensitive data, according to Kaspersky. Victims are reached through ClickFix attacks and malicious GitHub repositories disguised as legitimate software. In one example, a repository claimed to provide SQL Server Management Studio (SSMS) but instead installed a trojanized version of Audacity.
Kaspersky says the campaign has been active for more than a year and grew out of activity tied to the malicious PowerShell script TookPS. The infection chain has since been overhauled into a multi-stage process, with TookPS now used early on to install and configure an SSH bot that pulls down the rest of the malware.
The OkoBot infection chainSource: Kaspersky
That SSH bot also gathers system details such as the username, antivirus product, IP address, and OS version, while disabling Windows Defender notifications. It also steals wallet files, browser cookies, and account credentials.
Among OkoBot’s most notable modules are:

Recommended reading
Open-weight model poisoned for under $100
- ext daemon/extl.exe: injects into Chrome to silently install and hide malicious extensions such as Rilide, which targets credentials, cookies, financial data, and crypto-related information
- SeedHunter: injects into Trezor Suite, Ledger Wallet, and Ledger Live to show a fake recovery screen and steal wallet seed phrases
- MC Keylogger: captures keystrokes and clipboard data, including copied text, images, and file paths; it can also watch for USB connections and take screenshots every 5 minutes
- OkoSpyware: monitors 100 programs including crypto wallets and password managers, and uses FFmpeg to record video of their windows while also logging keystrokes
Kaspersky warns that a stolen wallet recovery phrase gives attackers full access to a victim’s cryptocurrency assets, with little chance of recovering transferred funds.
Kaspersky telemetry shows most victims are in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, though the campaign is described as global. The company says OkoBot activity was first seen in January as an evolution of the TookPS campaign, which has been running since March 2025.
Kaspersky does not attribute OkoBot to a specific threat actor, but it notes several clues: the initial PowerShell delivery servers are geoblocked, returning empty responses to IP addresses from Russia and the Commonwealth of Independent States (CIS); the SeedHunter source code includes Russian comments; and one infostealer used in the operation is promoted on invitation-only Russian cybercrime forums.
Kaspersky’s report includes indicators of compromise covering hashes, malicious plugins, injector payloads, SSH bot utilities, file paths, domains, and IP addresses.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


