A malware framework called OkoBot has been active on Windows since April 2025, with a module named SeedHunter that injects phishing pages directly into legitimate Ledger and Trezor wallet applications to steal recovery phrases. The malware monitors for Trezor Suite and Ledger Live applications, hooks their Electron internals, and either displays a recovery page immediately or waits until a hardware wallet is plugged in based on command-and-control instructions. SeedHunter captures typed recovery phrases through hooked console logging functions, packaging them as JSON with RC4 encryption before exfiltration.
Kaspersky researchers identified hundreds of victims across more than 25 countries, with the largest shares in Brazil, Vietnam, Canada, Mexico, and Türkiye. The framework is delivered through ClickFix lures and trojanized software on GitHub, including a fake SQL Server Management Studio repository that actually shipped a compromised Audacity build. A PowerShell downloader named TookPS installs SSH daemons, creates reverse tunnels, builds persistence through scheduled tasks, and delivers additional modules over SFTP.
The malware includes surveillance components that record screens, log keystrokes, steal browser data, and install hidden Chromium extensions. Kaspersky noted Russian-language comments in SeedHunter's phishing pages and servers returning empty responses to Russian IPs, but declined to attribute the campaign to any known actor. The attack does not exploit wallet vulnerabilities but targets the endpoint, with no vendor patch available to prevent this attack vector. The malware remains active as of July 2025, with artifacts including scheduled tasks named Apple Sync and altered termsrv.dll files for concurrent RDP sessions.
Read more...
