OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

A malware framework known as OkoBot has been operational on Windows systems since April 2025, with one of its components designed to deceive hardware wallet users into revealing their recovery phrases.

On a compromised computer, the request originates from the wallet’s own desktop application. At times, it waits until the device is connected. The page is malicious, while the surrounding app is the legitimate one you installed, and the phrase pertains to the wallet.

Kaspersky’s GReAT team released a detailed analysis on Wednesday, reporting hundreds of victims in their telemetry across over 25 nations. The highest concentration of affected users is found in Brazil, Vietnam, Canada, Mexico, and Türkiye.

The report does not specify how many individuals entered their phrases. OkoBot contains over 20 payloads and implants and was still active as of the report dated July 15.

SeedHunter Monitors for the Device

SeedHunter is the OkoBot module responsible for stealing the recovery phrase. Once the framework is established, it monitors for Trezor Suite, Ledger Wallet, and Ledger Live, injecting itself into whichever it detects, and hooks into the app’s Electron internals. It then communicates with its command and control server at moonsand[.]store.

If the server activates a Wait flag, SeedHunter scans USB devices by vendor and product ID and remains idle until a genuine Ledger or Trezor is connected. Only then does it present a hard-coded recovery page, with a unique layout for each brand. If the flag is deactivated, the page appears instantly. The entered phrase is sent to the page’s console behind an @:app:print marker, and the hooked mal_LogConsoleMessage captures it. It is then transmitted as JSON, with an RC4 copy saved in a temporary file.

The hardware wallet itself is not compromised. It performs its intended function of safeguarding the key and cannot prevent its companion software from prompting you for the phrase instead.

Neither aspect of this deception is novel. Moonlock Lab has tracked macOS stealers executing a similar swap, and THN has reported on cloned Ledger Live applications: AMOS eliminated Ledger Live and installed a trojanized version in /Applications that demanded the 24 words.

GlassWorm implemented the USB trigger on Windows in March, utilizing WMI to detect a device connection, then displaying its own window after terminating the genuine app. What SeedHunter alters is the location of the drawn page. It keeps the app running and renders the page within it.

The SSMS That Was Actually Audacity

There are two primary entry points: a ClickFix lure and trojanized software on GitHub. The repository that Kaspersky analyzed claimed to offer SQL Server Management Studio but actually delivered Audacity, the audio editing software, modified with a malicious implant embedded in one of its libraries. It ranked highly for SSMS and was active from late March 2025 until June.

Both methods execute TookPS, a PowerShell downloader that Kaspersky has been tracking since March 2025, when it was associated with fake DeepSeek pages and subsequently with fraudulent business-software download sites. It installs SSH, connects to an attacker-controlled server, forwards the local SSH daemon port, and waits. Later, an automated SSH bot establishes a connection back through the tunnel.

The bot inventories the system, including the installed antivirus, and extracts wallet files, cookies, browser profiles, and credentials through the tunnel. It suppresses Defender notifications with a registry modification and sets up its own environment:

  • Opens the firewall for incoming RDP connections
  • Adds an account to the Remote Desktop Users group
  • Replaces termsrv.dll with a modified version that allows concurrent RDP sessions
  • Registers a scheduled task named Apple Sync that reconstructs a reverse SSH tunnel for the local RDP port every hour

Subsequent modules are delivered via SFTP. A VMProtect-packed launcher called HDUtil executes them and can elevate their privileges silently through a Windows RPC UAC bypass documented by Project Zero in 2019.

The final delivery is Volume2, an open-source utility containing a malicious protobuf.dll that decrypts and initiates the actual payload: a plugin dispatcher that polls its command and control server every 20 seconds. Kaspersky identified five plugins, one of which is a process injector that deploys SeedHunter.

The remainder of the toolkit is focused on surveillance. OkoSpyware monitors over 100 executables, including Exodus.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top