OkoBot has been running on Windows machines since April 2025 and, according to Kaspersky's GReAT telemetry, has touched "hundreds of victims in more than 25 countries," with the largest shares of attacked users in Brazil, Vietnam, Canada, Mexico, and Türkiye.
SeedHunter: phishing pages drawn inside Ledger and Trezor desktop software
One of OkoBot's modules, called SeedHunter, methodically replaces the expected user interface inside real wallet companion apps. On an infected PC it watches for Trezor Suite, Ledger Wallet, and Ledger Live, injects into the app's Electron internals, and then draws a hard-coded recovery page — one layout per brand — inside the genuine application you installed.
SeedHunter calls home to a command-and-control server at moonsand[.]store. If the server sets a Wait flag, the module scans USB by vendor and product ID and sits idle until a real Ledger or Trezor is plugged in; with the flag off, the phishing page appears immediately. Whatever the timing, the typed recovery phrase is captured from the page's console behind an @:app:print marker, intercepted by a hooked mal_LogConsoleMessage, output as JSON and written as an RC4 copy to a temporary file.
The hardware wallet itself is not subverted — it still refuses to give up the private key — but SeedHunter exploits the companion software to trick users into typing their seed. Ledger's response, per the vendors cited by Kaspersky, reiterates that the phrase "never goes anywhere but the Ledger itself." Trezor Suite maintains that it "will never ask you to type your backup," though the report notes that Model One recovery can accept words in Suite when initiated by the device; a page that appears with nothing on the device screen is the tell.
Two primary infection vectors: a ClickFix lure and a trojanized GitHub repo
Kaspersky found two main delivery methods leading to OkoBot. One was a ClickFix lure; the other was a trojanized repository on GitHub that advertised SQL Server Management Studio but instead shipped Audacity rebuilt with a malicious implant inside one of its libraries. That repository ranked top for SSMS and lived from late March 2025 to June.
Both paths execute TookPS, a PowerShell downloader that Kaspersky has tracked since March 2025. TookPS previously arrived via fake DeepSeek pages and fake business-software download sites; in the OkoBot chain it stages the SSH tunnel and initial persistence that enable the later, more intrusive modules.
The post-compromise pipeline: TookPS, SSH tunnels, HDUtil and Volume2
TookPS installs SSH on the victim, forwards the local SSH daemon port, and waits for an automated SSH bot to connect back through the tunnel. That bot inventories the host — including installed antivirus — and exfiltrates wallet files, cookies, browser profiles, and credentials through the tunnel. The malware also silences Defender notifications via a registry write and builds persistent remote access:
- Opens the firewall for inbound RDP
- Adds an account to the Remote Desktop Users group
- Replaces termsrv.dll with a patched build that permits concurrent RDP sessions
- Registers a scheduled task called Apple Sync that rebuilds a reverse SSH tunnel for the local RDP port every hour
Modules are delivered over SFTP. A VMProtect-packed launcher named HDUtil runs subsequent modules and can elevate them using a Windows RPC UAC bypass documented by Project Zero in 2019. The final-stage delivery in earlier builds was Volume2 — an open-source utility carrying a malicious protobuf.dll that decrypts and starts a plugin dispatcher polling its C2 every 20 seconds. Kaspersky recovered five plugins; one is a process injector that installs SeedHunter inside wallet apps.
Surveillance modules: OkoSpyware, MC Keylogger and Rilide
The remainder of OkoBot's kit is focused on surveillance and credential theft. OkoSpyware watches for more than 100 executables — Exodus and 1Password among them — films matching windows to MP4 using bundled FFmpeg and logs keystrokes into those recordings. Browser titles are regex-matched so tabs like MetaMask or Tonkeeper are recorded. MC Keylogger captures input, clipboard contents and USB events and takes a screenshot every five minutes.
The loader installs hidden Chromium extensions with full permissions; the installed stealer is Rilide, a Chromium stealer that Kaspersky notes has appeared on invitation-only Russian-speaking forums. Kaspersky also observed changes in the campaign architecture: a March 2026 rebuild removed TeviRAT and consolidated a previous HDUtil → extl → Rilide chain into a single dispatcher plugin, and Volume2 began coming straight from TookPS.
What this means for hardware-wallet users and enterprise defenders
Hardware-wallet users: the immediate risk is not the device but the companion software. A recovery-page prompt that appears inside Ledger Live or Trezor Suite with no prompt on the device screen is the primary indicator of compromise; entering a seed into that page can expose the phrase to SeedHunter's capture.
Incident responders and enterprise defenders: Kaspersky lists concrete artifacts that can be hunted on endpoints — among them a scheduled task named Apple Sync, files such as %PROGRAMDATA%\\hwid.dat and %PROGRAMDATA%\\HDVideo\\HDUtil.exe, %USERPROFILE%\\.ssh\\go.bat, termsrv.dll altered from its shipped build, unexpected accounts in Remote Desktop Users, outbound SSH connections from user endpoints, and browser extension entries in Local Extension Settings that never appear in the browser's extension list. Kaspersky's post includes hashes and C2 domains for follow-up investigation.
Kaspersky "can't attribute this malicious campaign to any known crimeware actor," the report states; servers hosting the first-stage PowerShell return empty responses to Russian and CIS IPs, and SeedHunter's phishing pages carry Russian comments — signals the report treats as soft. For now, the campaign's operators are refining their toolchain: they removed TeviRAT, consolidated delivery chains after a March 2026 rebuild, and continue to iterate. The specific artifacts and domains Kaspersky published will be the clearest path to detection in the weeks ahead.




