OkoBot Framework Targets Crypto Wallets with 'SeedHunter' Module
A sophisticated malware framework dubbed **OkoBot** has been actively compromising Windows machines since April 2025, specifically targeting cryptocurrency hardware wallet owners. Its 'SeedHunter' module deceptively prompts users within legitimate wallet desktop applications to input their recovery phrases, bypassing hardware-level security measures. Hundreds of victims across 25+ countries have been identified, highlighting a persistent threat to digital asset security.
A sophisticated malware framework, **OkoBot**, has been observed operating on Windows machines since April 2025. One of its primary modules is meticulously designed to trick hardware wallet owners into revealing their crucial recovery phrases.
On an infected PC, the malicious request for a recovery phrase appears to originate from within the wallet's own legitimate desktop software. In some instances, it patiently waits until a hardware device is physically connected before presenting the deceptive prompt. The page itself is malicious, seamlessly integrated into the otherwise genuine application, aiming to capture the user's recovery phrase.
**Kaspersky's GReAT** team published a detailed teardown on Wednesday, revealing hundreds of victims across more than 25 countries in their telemetry. Brazil, Vietnam, Canada, Mexico, and TΓΌrkiye account for the largest share of attacked users. The report does not specify how many users ultimately entered their recovery phrases, but **OkoBot** remains active, carrying over 20 distinct payloads and implants as of the July 15 report.
## SeedHunter Waits for the Device
**SeedHunter** is the dedicated **OkoBot** module responsible for stealing recovery phrases. Once the **OkoBot** framework establishes itself, it monitors for the presence of **Trezor Suite**, **Ledger Wallet**, and **Ledger Live**. It then injects itself into any detected application, hooking into its Electron internals. Subsequently, it communicates with its command-and-control (C2) server at `moonsand[.]store`.
If the server sets a `Wait` flag, **SeedHunter** will scan USB devices by vendor and product ID, remaining dormant until a genuine **Ledger** or **Trezor** device is plugged in. Only then does it render a hard-coded recovery page, with a specific layout tailored to each brand. If the flag is off, the phishing page appears immediately. The typed recovery phrase is captured by the page's console, marked with `@:app:print`, and then intercepted by the hooked `mal_LogConsoleMessage`. The stolen phrase is exfiltrated as JSON, with an RC4 encrypted copy also dropped in a temporary file.
It's crucial to understand that the hardware wallet itself is not compromised. These devices perform their intended function by refusing to release the private key. The vulnerability lies in their companion software's ability to be manipulated into requesting the recovery phrase from the user.
This method of deception isn't entirely new. **Moonlock Lab** has previously tracked macOS-based stealers employing similar swap versions, and **The Hacker News** covered cloned **Ledger Live** apps. For example, **AMOS** malware would terminate **Ledger Live** and drop a trojanized clone in `/Applications` demanding the 24-word recovery phrase.

In March, **GlassWorm** malware utilized a USB trigger on Windows, employing **WMI** to detect device connections and then displaying its own window after terminating the legitimate application. What **SeedHunter** innovates is the method of rendering the phishing page: it keeps the legitimate application running and draws the malicious interface directly within it.
## The SSMS That Was Actually Audacity
There are two primary infection vectors for **OkoBot**: a **ClickFix** lure and trojanized software distributed via **GitHub**. **Kaspersky** analyzed a GitHub repository that advertised **SQL Server Management Studio (SSMS)** but, in reality, shipped **Audacity**, the audio editor, rebuilt with a malicious implant hidden within one of its libraries. This malicious package, which ranked highly for `SSMS` searches, was active from late March 2025 to June.
Both infection paths lead to the execution of **TookPS**, a **PowerShell** downloader that **Kaspersky** has been tracking since March 2025. Initially, **TookPS** was observed riding fake **DeepSeek** pages, then later fake business-software download sites. It installs **SSH**, connects to an attacker-controlled server, forwards the local SSH daemon port, and awaits further instructions. An automated SSH bot subsequently connects back through this tunnel.
This bot comprehensively inventories the compromised system, including installed antivirus software. It then exfiltrates wallet files, cookies, browser profiles, and credentials via the SSH tunnel. To maintain stealth, it silences **Windows Defender** notifications with a registry write and sets up persistent remote access:
1. Opens the firewall for inbound **RDP**.
2. Adds an account to the **Remote Desktop Users** group.
3. Replaces `termsrv.dll` with a patched build to permit concurrent **RDP** sessions.
4. Registers a scheduled task named `Apple Sync` that rebuilds a reverse SSH tunnel for the local **RDP** port every hour.
Subsequent modules are delivered via **SFTP**. A **VMProtect**-packed launcher, `HDUtil`, executes these modules and can silently escalate privileges using a **Windows RPC UAC bypass** documented by **Project Zero** in 2019.
The final stage of delivery involves **Volume2**, an open-source utility containing a malicious `protobuf.dll` that decrypts and launches the core payload: a plugin dispatcher that polls its C2 every 20 seconds. **Kaspersky** recovered five plugins, one of which is a process injector responsible for placing **SeedHunter** into target applications.
The remainder of the toolkit focuses on surveillance. **OkoSpyware** monitors for over 100 executables, including **Exodus** and **1Password**. It records video of matching windows to MP4 using a bundled **FFmpeg** and logs keystrokes. Browser titles are regex-matched, so tabs like **MetaMask** or **Tonkeeper** trigger screen recording. **MC Keylogger** captures input, clipboard data, USB device activity, and takes screenshots every five minutes. A loader installs hidden **Chromium** extensions with all permissions granted; **Rilide**, a **Chromium** stealer used by Russian-speaking threat actors since April 2023, is among the installed extensions.
## Whose Framework Is It?
**Kaspersky** refrains from attributing **OkoBot** to any known actor, stating, "we can't attribute this malicious campaign to any known crimeware actor." However, some circumstantial evidence points to Russian-speaking origins: servers hosting the first-stage **PowerShell** return an empty response to Russian and CIS IP addresses, and **Rilide** is known to be traded on invitation-only Russian-speaking forums. Additionally, the **SeedHunter** phishing pages contain Russian comments. These are considered soft signals and are treated as such in the report.
There is no specific hardware wallet **CVE** or vendor patch that can directly close this attack vector, as the compromise occurs at the endpoint level. However, specific artifacts can aid in detection and hunting:
* A scheduled task named `Apple Sync`.
* Files such as `%PROGRAMDATA%\hwid.dat`, `%PROGRAMDATA%\HDVideo\HDUtil.exe`, and `%USERPROFILE%\.ssh\go.bat`.
* An altered `termsrv.dll` from its original shipped build.
* Unexplained accounts in the **Remote Desktop Users** group.
* Outbound **SSH** connections from user endpoints.
* Extensions in `Local Extension Settings` that do not appear in the browser's extension list.
**Kaspersky's** report provides the relevant hashes and C2 domains for further investigation. Hardware wallet vendors emphasize that the recovery phrase should *never* leave the device. **Ledger** explicitly states that the phrase never goes anywhere but the **Ledger** itself. **Trezor Suite** advises that it will never ask you to type your backup, though a **Model One's** standard recovery process *does* involve typing words into **Suite**, but only when prompted by the device itself. A phishing page appearing solely because the device was plugged in, without any corresponding prompt on the device screen, is a critical red flag.
Intriguingly, the framework underwent a rebuild in March 2026. The `TeviRAT` component is gone, and the `HDUtil` to `extl` to `Rilide` chain has been streamlined into a single dispatcher plugin performing the same functions. **Volume2** now comes directly from **TookPS**. Such active refinement suggests that the operators are not abandoning the codebase anytime soon.