OkoBot Malware Steals Wallet Recovery Phrases via 20 Modules
2026-07-18 17:52

Woofun AI reports that Kaspersky security researchers have identified OkoBot, a new malware strain designed to exfiltrate cryptocurrency wallet recovery phrases and credentials through approximately 20 distinct modules. The threat actors employ ClickFix social engineering tactics to deceive users into executing malicious commands, distributing the software via GitHub repositories disguised as legitimate utilities such as SQL Server Management Studio.

OkoBot’s architecture includes SeedHunter, which injects into hardware wallets like Trezor and Ledger to display fake interfaces during recovery; MC Keylogger, which records keyboard and clipboard activity; and OkoSpyware, which monitors wallet passwords and captures window video. Once recovery phrases are compromised, attackers gain full control over assets, rendering fund recovery nearly impossible. Kaspersky noted the malware has operated for over a year, with victims primarily located in Brazil, Vietnam, Canada, Mexico, and Turkey, while IP addresses from Russia and CIS countries are blocked.

Disclaimer: Views are the author's own and do not represent the platform. Do not reproduce without permission. Content is for reference only, not investment advice. Trade at your own risk.
Tags:
Kaspersky
OkoBot
Bits.media
ClickFix
GitHub
SQL Server Management Studio
SeedHunter
Trezor
Ledger
MC Keylogger
OkoSpyware
Share:
back