Back to advisories

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

OkoBot malware framework is actively injecting fake seed phrase prompts into Ledger and Trezor desktop applications to steal hardware wallet recovery phrases. Victims are being compromised through trojanized software on GitHub and other vectors. Successful exploitation results in complete loss of cryptocurrency holdings.

CRITICALAdvisoryJul 17, 2026
Action required
Hunt for OkoBot indicators across endpoints: monitor for unsigned or suspicious Ledger/Trezor app child processes, SSH tunnel connections from user workstations, and GitHub-sourced downloads. Block known OkoBot C2 infrastructure and scan systems with cryptocurrency wallet software installed for malware artifacts.
Affected products
Ledger LiveLedger WalletTrezor SuiteAudacitySQL Server Management Studio