
A new malicious framework called OkoBot is delivering more than 20 payloads in attacks focused on stealing cryptocurrency wallet seed phrases, credentials, and other sensitive data.
OkoBot reaches victims through ClickFix attacks or malicious GitHub repositories pretending to host legitimate software tools.
In one case, a repository claimed to offer SQL Server Management Studio (SSMS) but dropped a trojanized version of the Audacity audio editing tool.
Researchers at cybersecurity company Kaspersky say that the OkoBot campaign has been ongoing for more than a year and evolved from the activity that delivered the malicious PowerShell script TookPS.
However, the infection chain has been completely changed, with multiple attack stages and TookPS being used in the first phase to install and configure an SSH bot that delivered the other malicious components.

The SSH bot is also responsible for collecting system details (username, antivirus software, IP address, OS version) and disabling Windows Defender notifications. It also harvests cryptocurrency wallet files, browser cookies, and account credentials.
Among the 20 modules OkoBot uses in these attacks, the most notable are:
- ext daemon/extl.exe: Injects into Chrome browsers to silently install and hide malicious extensions like Rilide, which targets credentials, cookies, financial information, and cryptocurrency-related data.
- SeedHunter: Injects into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake seed-recovery screen designed to steal wallet recovery phrases from victims.
- MC Keylogger: Records keystrokes and clipboard activity, including copied text, images, and file paths, and can also monitor for USB connections and take screenshots every 5 minutes.
- OkoSpyware: Monitors 100 programs like cryptocurrency wallets and password managers, and uses FFmpeg to record video of their windows and also capture keystrokes.
It's important to note that a wallet recovery phrase provides full access to a user's cryptocurrency assets. If attackers obtain it, they can transfer the funds to wallets they control, with virtually no possibility of recovery.

Kaspersky telemetry shows that the majority of OkoBot's victims are located in Brazil, followed by Vietnam, Canada, Mexico, and Turkey. However, the campaign’s reach is global.
OkoBot activity was first observed in January as an evolution of the TookPS campaign that has been running since March 2025.
While Kaspersky does not attribute the OkoBot campaign to any threat actor, the researchers shared that access to the servers hosting the PowerShell scripts for the initial stage of the attack is geoblocked.
They noticed that payloads are not delivered when using an IP address from Russia or the Commonwealth of Independent States (CIS) space, and the server returns an empty response.
Additional clues pointing to a Russian-speaking threat actor include Russian comments present in the source code of the SeedHunter module and the use of an infostealer that is actively promoted on invitation-only Russian cybercrime forums.
Kaspersky's report provides a set of indicators of compromise that includes hashes for the malicious plugins, injector payloads, SSH bot utilities, file paths, domains, and IP addresses.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper