OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps
OkoBot malware framework targets Ledger and Trezor users by injecting fake recovery phrase prompts.
Summary
The OkoBot malware framework, active since April 2025, has a module called SeedHunter designed to steal hardware wallet recovery phrases from Ledger and Trezor users. It injects fake prompts into the legitimate desktop applications, tricking victims into revealing their seed phrases. The malware uses various infection vectors, including trojanized software on GitHub, and exfiltrates stolen data through SSH tunnels.
Full text
OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps Swati KhandelwalJul 15, 2026Endpoint Security / Malware A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase. On an infected PC, the request comes from inside the wallet's own desktop software. Sometimes it waits until you plug the device in first. The page is malicious. The app around it is the real one you installed, and the phrase is the wallet. Kaspersky's GReAT team published the teardown on Wednesday, counting hundreds of victims in its telemetry across more than 25 countries. The largest share of attacked users is in Brazil, Vietnam, Canada, Mexico, and Türkiye. How many of them typed a phrase in, the report does not say. OkoBot carries more than 20 payloads and implants and was still active as of the July 15 report. SeedHunter Waits for the Device SeedHunter is the OkoBot module that steals the phrase. Once the framework lands, it watches for Trezor Suite, Ledger Wallet, and Ledger Live, injects into whichever it finds, and hooks the app's Electron internals. Then it asks its C2 at moonsand[.]store. If the server sets a Wait flag, SeedHunter scans USB by vendor and product ID and sits still until a real Ledger or Trezor is plugged in. Only then does it draw a hard-coded recovery page, one layout per brand. With the flag off, the page appears immediately. The typed phrase goes to the page's own console behind an @:app:print marker, and the hooked mal_LogConsoleMessage picks it up. It leaves as JSON, with an RC4 copy dropped in a temp file. The hardware wallet is not what gets broken. It does the one thing it was built for, which is to refuse to give up the key, and it cannot stop its companion software from asking you for the phrase instead. Neither half of the trick is new. Moonlock Lab tracked macOS stealers doing the swap version, and THN covered those cloned Ledger Live apps: AMOS killed Ledger Live and dropped a trojanized clone in /Applications demanding the 24 words. GlassWorm did the USB trigger on Windows in March, using WMI to spot a device going in, then throwing its own window up after killing the real app. What SeedHunter changes is where the page gets drawn. It leaves the app running and draws inside it. The SSMS That Was Actually Audacity Two main ways in: a ClickFix lure, and trojanized software on GitHub. The repo Kaspersky pulled apart advertised SQL Server Management Studio. What it shipped was Audacity, the audio editor, rebuilt with a malicious implant inside one of its libraries. It ranked top for SSMS. It lived from late March 2025 to June. Both paths execute TookPS, a PowerShell downloader Kaspersky has tracked since March 2025, when it rode fake DeepSeek pages, then fake business-software download sites. It installs SSH, dials an attacker-controlled server, forwards the local SSH daemon port, and waits. Later, an automated SSH bot connects back through the tunnel. The bot inventories the box down to the installed AV, then drags wallet files, cookies, browser profiles, and credentials out through the tunnel. It silences Defender notifications with a registry write and builds itself a desk: Opens the firewall for inbound RDP Adds an account to the Remote Desktop Users group Replaces termsrv.dll with a patched build that permits concurrent RDP sessions Registers a scheduled task called Apple Sync that rebuilds a reverse SSH tunnel for the local RDP port every hour Modules arrive over SFTP after that. A VMProtect-packed launcher called HDUtil runs them and can elevate them silently through a Windows RPC UAC bypass that Project Zero documented in 2019. The last delivery is Volume2, an open-source utility carrying a malicious protobuf.dll that decrypts and starts the real payload: a plugin dispatcher polling its C2 every 20 seconds. Kaspersky recovered five plugins. One is a process injector, and that is what puts SeedHunter in place. The rest of the kit is surveillance. OkoSpyware watches for 100-plus executables, Exodus, and 1Password among them. It films the matching window to MP4 with a bundled FFmpeg and logs keystrokes into it. Browser titles get regex-matched, so a MetaMask or Tonkeeper tab gets recorded. MC Keylogger covers input, clipboard, USB devices, and takes a screenshot every five minutes. A loader installs hidden Chromium extensions with every permission granted; Rilide, a Chromium stealer used by Russian-speaking threat actors since April 2023, is what it installed. Whose Framework Is It? Kaspersky will not name an actor: "we can't attribute this malicious campaign to any known crimeware actor." The servers hosting the first-stage PowerShell return an empty response to Russian and CIS IPs. Rilide moves on invitation-only Russian-speaking forums. The SeedHunter phishing pages carry Russian comments. Those are soft signals, and the report treats them as such. There is no wallet CVE and no vendor patch that closes this route. It lands on the endpoint instead, and the artifacts are specific enough to hunt: A scheduled task named Apple Sync %PROGRAMDATA%\hwid.dat, %PROGRAMDATA%\HDVideo\HDUtil.exe, %USERPROFILE%\.ssh\go.bat termsrv.dll altered from its shipped build Accounts in Remote Desktop Users that nobody added Outbound SSH from user endpoints Extensions in Local Extension Settings that never appear in the browser's extension list Kaspersky's post has the hashes and C2 domains. The vendors draw the line at the device. Ledger says the phrase never goes anywhere but the Ledger itself. Trezor Suite says it will never ask you to type your backup, though a Model One's standard recovery does take the words in Suite, and only when the device asks. A page that appears because you plugged in, with nothing on the device screen behind it, is the tell. Then the March 2026 rebuild. TeviRAT is gone. The HDUtil to extl to Rilide chain is gone, folded into a single dispatcher plugin that does the same job. Volume2 now comes straight from TookPS. Nobody prunes a codebase they are about to walk away from. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE browser security, cryptocurrency, Cybercrime, endpoint security, Information Stealer, Malware, Phishing, Remote Access Trojan, Supply Chain Attack, Windows Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Fla
Indicators of Compromise
- domain — moonsand[.]store
- malware — OkoBot
- malware — SeedHunter
- malware — TookPS
- malware — HDUtil
- malware — Volume2