More than 20 separate payloads are being deployed by a single, cohesive malware framework that researchers say is focused on stealing cryptocurrency wallet recovery phrases, credentials, and other sensitive data.
How OkoBot reaches victims: ClickFix lures and trojanized GitHub repositories
Researchers at cybersecurity company Kaspersky report that OkoBot is distributed through two primary vectors: ClickFix attacks and malicious GitHub repositories masquerading as legitimate software projects. In one documented case, a repository that claimed to host SQL Server Management Studio (SSMS) instead dropped a trojanized build of the Audacity audio editor. These delivery methods are designed to trick users seeking common tools into executing code that begins a multi-stage infection chain.
Multi-stage infection chain: TookPS, an SSH bot, and staged payload delivery
Kaspersky's analysis shows that OkoBot evolved from activity tied to a malicious PowerShell script called TookPS. While the overall infection chain has been substantially reworked, TookPS is still used in the first phase to install and configure an SSH bot. That SSH bot is responsible for delivering the remainder of the malicious components and for early reconnaissance: it collects system details such as username, installed antivirus software, IP address, and OS version; it disables Windows Defender notifications; and it harvests cryptocurrency wallet files, browser cookies, and account credentials.
Notable OkoBot modules and what they do
- ext daemon / extl.exe: Injects into Chrome browsers to silently install and hide malicious browser extensions — for example, the Rilide extension — which target credentials, cookies, financial information, and cryptocurrency-related data.
- SeedHunter: Injects into desktop wallet applications including Trezor Suite, Ledger Wallet, and Ledger Live, and displays a fake seed-recovery screen designed to capture wallet recovery phrases from users.
- MC Keylogger: Records keystrokes and clipboard activity (including copied text, images, and file paths), monitors for USB connections, and can take screenshots every five minutes.
- OkoSpyware: Monitors roughly 100 programs — among them cryptocurrency wallets and password managers — and uses FFmpeg to record video of their windows in addition to capturing keystrokes.
Kaspersky emphasizes the high stakes: a wallet recovery phrase provides full access to a user's cryptocurrency assets, and if attackers obtain it they can transfer funds to wallets they control "with virtually no possibility of recovery."
Geography, operational constraints, and language clues
Kaspersky telemetry shows that most observed OkoBot victims are in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, although the campaign's reach is global. Kaspersky first observed OkoBot activity in January as an evolution of the TookPS campaign that has been running since March 2025.
Operational clues in the campaign suggest deliberate geofencing: access to servers hosting the PowerShell scripts used in the initial stage is geoblocked, with payloads not delivered when the client IP is from Russia or the Commonwealth of Independent States (CIS) range — the server returns an empty response in those cases. Additional indicators include Russian-language comments in the SeedHunter source code and the use of an infostealer that is actively promoted on invitation-only Russian cybercrime forums. Kaspersky does not attribute the campaign to any specific threat actor.
What this means for technologists, procurement leaders, and cryptocurrency holders
- Technologists and security teams: Kaspersky published indicators of compromise that include hashes for malicious plugins and injector payloads, SSH bot utilities, file paths, domains, and IP addresses; these artifacts provide concrete starting points for detection and response. Separately, a Picus whitepaper cited in the reporting notes that security teams log 54% of successful attacks but alert on just 14%, underscoring the gap between detection and actionable alerts in many environments.
- Procurement leaders and software maintainers: The trojanized GitHub repository example underlines the risk posed by counterfeit or repackaged software offerings. Teams responsible for acquiring tools should be aware that repositories claiming to provide common utilities may instead distribute backdoored binaries.
- End users and cryptocurrency holders: Seed phrases are the focal point of several OkoBot modules; because a recovery phrase grants full access to funds, users who encounter unexpected seed-recovery prompts in wallet software are at particular risk, and loss from a compromised seed phrase is described as having "virtually no possibility of recovery."
OkoBot is notable for its modularity and specialization: more than 20 payloads, a dedicated SSH bot for initial control and reconnaissance, and modules that specifically target desktop wallet interfaces and browser-based credential stores. Kaspersky's published indicators give defenders concrete artifacts to hunt for, while the campaign's geoblocking and code comments add operational context without providing firm attribution. The result is a persistent, adaptable campaign that privileges stealth and precise targeting of cryptocurrency holdings.




