"In total, the framework includes more than 20 malicious payloads and implants, covering a wide variety of functions," Kaspersky reports — and its investigators say those modules are assembled into a single, evolving framework they call OkoBot.
Initial infection vectors: ClickFix and malicious GitHub packages
Kaspersky’s analysis traces OkoBot’s entry to two concrete distribution methods. The first is a ClickFix attack; the second is malware packaged on GitHub and presented as legitimate software. One documented example impersonated SQL Server Management Studio (SSMS) by publishing a README-style installation guide and directing users to a release that actually contained Audacity compiled with a malicious implant embedded in a library. That repository appeared in late March 2025 and remained online until June 2025. Both vectors ultimately execute a malicious PowerShell script known as TookPS, which installs SSH, opens a connection to an attacker-controlled SSH server, and forwards the SSH daemon port to enable follow‑on access.
SSH bot, HDUtil launcher, and the Volume2 dispatcher
After TookPS stages the SSH tunnel, an automated SSH bot connects to the forwarded port. The bot performs comprehensive reconnaissance — usernames, installed antivirus, IP address, OS version — and harvests browser profiles, cookies, and cryptocurrency wallet files over the SSH link. To prepare for remote control, the bot disables Windows Defender notifications by editing the registry, opens firewall ports for inbound RDP, creates a Remote Desktop Users account, patches termsrv.dll to allow concurrent sessions, and installs a scheduled task called "Apple Sync" to reestablish a reverse SSH tunnel hourly.
The bot retrieves modules over SFTP and uses a VMProtect-protected launcher named HDUtil.exe. HDUtil supports a key "target" command that can launch payloads normally or with automatic UAC bypass using Windows RPC and an auto-elevated msconfig.exe — a technique Kaspersky notes was previously documented by Project Zero. One delivered component is Volume2 (an open-source utility) linked at runtime to a modified protobuf.dll (later renamed version.dll). That altered DLL exposes a malicious function which decrypts an AES‑GCM encrypted implant — the dispatcher — that polls the command-and-control (C2) server every 20 seconds and can load plugins or reconfigure the client.
SeedHunter, Rilide and OkoSpyware: wallet-focused implants
OkoBot contains multiple implants designed to steal cryptocurrency-related secrets. Kaspersky documents at least four injector-delivered implants: ext_daemon (a browser‑extension loader), SeedHunter (targeting Ledger and Trezor applications), MC Keylogger, and OkoSpyware.
SeedHunter hooks Electron-based wallet clients and, upon command from its C2 (moonsand[.]store), either waits for a hardware wallet to be connected or immediately displays a hard-coded phishing page mimicking seed‑phrase recovery. When a victim submits a seed phrase, the malware sends it to the C2 and also stores an RC4-encrypted copy in a temporary file. Rilide, a Chromium‑targeting browser extension frequently used by Russian‑speaking actors, was also installed by the framework’s extension loader to harvest credentials, cookies and financial data.
OkoSpyware combines keystroke logging with window video capture via a bundled FFmpeg instance. It maintains a list of more than 100 process names to monitor — including Exodus and Litecoin QT and password managers such as KeePassXC and 1Password — and records MP4 video files and JSON metadata (process name, intercepted input, MD5 hash) to the temp folder for exfiltration.
Victim footprint, operational signals, and attribution notes
By Kaspersky’s count, hundreds of victims across more than 25 countries have been observed between April 2025 and June 2026, with the largest shares in Brazil, Vietnam, Canada, Mexico, and Türkiye. The campaign has adapted over time: TookPS appeared in March 2025 delivering Python infostealers; April 2025 saw delivery of TeviRAT; by late April 2025 the chain was redesigned so TookPS only initiated infection and an automated SSH bot handled payloads. In March 2026 Kaspersky found a new phase where Volume2 is installed directly using TookPS and TeviRAT was removed, replaced by a unified plugins dispatcher.
Kaspersky does not attribute OkoBot to a known actor. Investigators did note operational signals: server-side geoblocking that returns empty responses to Russia/CIS IPs, use of the Rilide extension common on Russian-language cybercrime forums, and Russian comments in SeedHunter’s phishing-page source. Domains and IPs observed in the campaign include recavb22[.]online, coffeesaloon[.]online, moonsand[.]store, thatwascringe[.]com, and SSH bot addresses such as 104.243.43[.]16 and 104.243.32[.]213.
What this means for technologists, cryptocurrency users, and GitHub maintainers
- Technologists and security teams: watch for TookPS activity and persistence indicators — the scheduled task named "Apple Sync", files such as %PROGRAMDATA%\HDVideo\HDUtil.exe and %PROGRAMDATA%\hwid.dat, and unusual SSH port forwarding or SFTP traffic. The dispatcher model (Volume2 + modified protobuf/version.dll) centralizes control and can dynamically load plugins, so blocklisting single payloads is likely insufficient.
- Cryptocurrency users and wallet vendors: OkoBot specifically targets hardware wallets and desktop wallet clients. SeedHunter’s technique — displaying phishing recovery pages to capture seed phrases and exfiltrating them to moonsand[.]store — underlines the risk of companion malware that records both keystrokes and window video. Users should be aware that browser extensions can be silently installed and hidden by an injected loader (ext_daemon/extl.exe) that modifies extension manifests.
- GitHub maintainers and platform operators: the campaign used a repository seeded with a README-style guide that pointed to malicious releases. The repo was indexed by search engines and presented as SSMS guidance; validation of release binaries and stronger release-source verification could disrupt this distribution method.
OkoBot, as described by Kaspersky, is not a single binary but a modular framework: SSH staging, a multi‑command launcher, an in‑memory plugin dispatcher, and multiple implants geared to cryptocurrency theft. The campaign has been active for more than a year and is visibly evolving — a fact Kaspersky underscores by documenting changes from TookPS-era payloads to a dispatcher-centric Volume2 phase. For further technical indicators, decryption scripts and a full IoC list, Kaspersky points customers to its Threat Intelligence Reporting service (intelreports@kaspersky.com).




