Illustration of OkoBot malware attacking a hardware wallet desktop application, showing a phishing prompt for a seed phrase.
Cryptocurrency & Blockchain

OkoBot Malware Unleashes Sophisticated Seed Phrase Phishing on Hardware Wallet Users

Share
Share
Pinterest Hidden

A new and highly sophisticated malware framework, dubbed OkoBot, has been actively targeting Windows users since April 2025, posing a severe threat to cryptocurrency hardware wallet owners. This multi-faceted threat includes a particularly insidious module designed to trick users into revealing their crucial recovery phrases directly within their legitimate wallet applications.

OkoBot’s Deceptive SeedHunter Module

At the heart of OkoBot’s cryptocurrency theft operation lies SeedHunter, a module specifically engineered to pilfer recovery phrases from popular hardware wallet desktop applications such as Trezor Suite, Ledger Wallet, and Ledger Live. Once OkoBot infiltrates a system, SeedHunter meticulously monitors for these applications. Upon detection, it injects itself into the app’s Electron internals, effectively hijacking its interface.

The In-App Phishing Trap

The cunning aspect of SeedHunter is its ability to present a malicious recovery phrase request from within the genuine wallet software. This isn’t a pop-up from an external source; it appears as an integral part of the application itself. In some cases, it even waits for the user to physically plug in their Ledger or Trezor device before displaying the deceptive prompt, adding a layer of authenticity.

When a user inputs their seed phrase into this fake page, the data is covertly captured and exfiltrated as JSON, with an RC4-encrypted copy dropped into a temporary file. It’s crucial to understand that the hardware wallet itself remains uncompromised; its core function of securing the private key is intact. The vulnerability lies in the companion desktop software being manipulated to solicit the phrase from the user.

While the concept of in-app phishing isn’t entirely new—similar macOS stealers and cloned Ledger Live apps have been observed—SeedHunter innovates by drawing the malicious page inside the running, legitimate application, rather than killing it and launching a clone or a separate window.

Initial Infection Vectors: How OkoBot Spreads

Kaspersky’s GReAT team, which published a detailed teardown of OkoBot, identified two primary infection vectors responsible for its initial deployment:

1. ClickFix Lures

One method involves “ClickFix” lures, though specific details on these were not elaborated in the original report, they typically involve social engineering tactics to trick users into executing the malware.

2. Trojanized Software on GitHub

More alarmingly, OkoBot has been distributed via trojanized software hosted on GitHub. A notable example involved a repository advertising SQL Server Management Studio (SSMS). Instead of the legitimate database tool, users downloaded a malicious version of Audacity, the audio editor, embedded with OkoBot’s implant within one of its libraries. This deceptive package even ranked highly for SSMS searches, operating from late March to June 2025.

The TookPS Downloader and System Compromise

Both infection paths ultimately lead to the execution of TookPS

, a PowerShell downloader tracked by Kaspersky since March 2025. TookPS has previously been associated with fake DeepSeek pages and fraudulent business-software download sites. Its role is to establish a robust foothold on the compromised system:

  • It installs SSH and creates a reverse SSH tunnel to an attacker-controlled server.
  • An automated SSH bot then connects back, performing a comprehensive inventory of the infected machine, including installed antivirus software.
  • This bot then systematically exfiltrates sensitive data, including wallet files, browser cookies, profiles, and credentials, through the secure tunnel.

Establishing Persistence and Control

OkoBot goes to great lengths to ensure persistent access and control over the compromised system:

  • It silences Windows Defender notifications via registry modifications.
  • It opens the firewall for inbound Remote Desktop Protocol (RDP) connections.

  • A new account is added to the Remote Desktop Users group.
  • The termsrv.dll file is replaced with a patched version, enabling concurrent RDP sessions.
  • A scheduled task named “Apple Sync” is registered, designed to rebuild the reverse SSH tunnel for the local RDP port every hour, maintaining attacker access.

Advanced Payload Delivery and Extensive Surveillance

Following the initial system compromise, additional modules are delivered via SFTP. A VMProtect-packed launcher, HDUtil, executes these modules, leveraging a Windows RPC UAC bypass (documented by Project Zero in 2019) for silent privilege elevation.

The final stage of delivery involves a seemingly innocuous open-source utility called Volume2, which carries a malicious protobuf.dll. This DLL decrypts and launches the true payload: a plugin dispatcher that polls its command-and-control (C2) server every 20 seconds for new instructions.

Kaspersky identified five distinct plugins, with one serving as the process injector responsible for deploying SeedHunter. The remaining plugins form a comprehensive surveillance kit:

  • OkoSpyware: Monitors for over 100 executables, including Exodus and 1Password. It records matching windows to MP4 using a bundled FFmpeg and logs keystrokes. Browser titles are regex-matched, ensuring that tabs like MetaMask or Tonkeeper are specifically recorded.
  • MC Keylogger: Captures all keyboard input, clipboard data, and information about connected USB devices. It also takes screenshots every five minutes.
  • A loader installs hidden Chromium extensions with extensive permissions. This includes Rilide, a Chromium stealer known to be used by Russian-speaking threat actors since April 2023.

Attribution and Defense

While Kaspersky refrains from definitively attributing OkoBot to a specific known crimeware actor, several “soft signals” point towards a potential Russian-speaking origin. These include C2 servers returning empty responses to Russian and CIS IPs, Rilide’s presence on invitation-only Russian-speaking forums, and Russian comments found within the SeedHunter phishing pages.

Crucially, there is no hardware wallet CVE or vendor patch that can directly close this attack vector. The vulnerability lies at the endpoint—the user’s PC. Therefore, robust endpoint security, vigilance against suspicious software, and extreme caution when interacting with any request for a recovery phrase are paramount. Always verify requests directly on your hardware device’s screen, never solely relying on the desktop application.


For more details, visit our website.

Source: Link

Share

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *