OkoBot Malware Framework: A Deep Dive into SeedHunter and Its Threats

OkoBot, a sophisticated malware framework, targets hardware wallet users by stealing recovery phrases through its SeedHunter module.

axonn bots
axonn bots
·4 min read
OkoBot is a malware framework actively targeting Windows users since April 2025, with a focus on stealing cryptocurrency recovery phrases. Its SeedHunter module hijacks legitimate wallet software to trick users into revealing their seed phrases. The framework's complexity and persistent evolution highlight the growing threat to cryptocurrency security.

OkoBot Malware Framework: A Deep Dive into SeedHunter and Its Threats

Since April 2025, a malware framework called OkoBot has been actively targeting Windows users, with a particular focus on stealing recovery phrases from hardware wallet owners. This sophisticated framework employs a module named SeedHunter, which hijacks legitimate wallet software to deceive users into revealing their seed phrases. According to a report by Kaspersky's Global Research and Analysis Team (GReAT), OkoBot has affected hundreds of victims across more than 25 countries, with Brazil, Vietnam, Canada, Mexico, and Türkiye being the most impacted.

How SeedHunter Operates

SeedHunter is designed to target popular hardware wallet software such as Trezor Suite, Ledger Wallet, and Ledger Live. Once the malware infects a system, it waits for the user to connect their hardware wallet. It then injects malicious code into the wallet software, exploiting its Electron-based architecture. The malware displays a fake recovery page that mimics the legitimate interface of the wallet software, tricking users into entering their seed phrase.

The stolen seed phrase is sent to a command-and-control (C2) server operated by the attackers. To avoid detection, SeedHunter uses advanced techniques such as hooking into the software's console logging functions and encrypting the stolen data using RC4 before transmitting it. This ensures that the hardware wallet itself remains secure, as it does not reveal the private key, but the companion software is compromised.

Delivery and Infection Mechanisms

OkoBot employs two primary methods to infect systems:

  1. Trojanized Software on GitHub: Attackers created a fake repository advertised as SQL Server Management Studio (SSMS). However, the downloaded software was actually a modified version of Audacity, the popular audio editor, with a malicious implant hidden in one of its libraries. This Trojanized software ranked highly in search results for SSMS, making it a convincing lure for unsuspecting users.

  2. ClickFix Lure: Another method involved tricking users into downloading and executing a malicious payload disguised as a legitimate tool or update.

Once executed, the malware installs TookPS, a PowerShell downloader that has been active since March 2025. TookPS establishes a reverse SSH tunnel to an attacker-controlled server, allowing the attackers to remotely access the infected system. From there, additional malicious modules are downloaded and executed, including tools for stealing wallet files, browser profiles, and credentials.

Advanced Persistence Techniques

OkoBot uses several advanced techniques to maintain persistence on infected systems:

  • It modifies the Windows firewall to allow inbound Remote Desktop Protocol (RDP) connections.
  • It adds a new user account to the Remote Desktop Users group.
  • It replaces the legitimate termsrv.dll file with a patched version that permits concurrent RDP sessions.
  • It creates a scheduled task named Apple Sync to rebuild the reverse SSH tunnel every hour, ensuring continuous access.

The framework also includes a VMProtect-packed launcher called HDUtil, which runs additional modules and can silently elevate privileges using a Windows RPC UAC bypass documented by Project Zero in 2019.

Surveillance and Data Theft

In addition to stealing seed phrases, OkoBot includes several surveillance modules:

  • OkoSpyware: This module monitors over 100 executables, including popular password managers like 1Password. It records keystrokes and captures video of the targeted application windows using FFmpeg.
  • MC Keylogger: This module logs input, clipboard data, and USB device activity, taking screenshots every five minutes.
  • Browser Extensions: The malware installs hidden Chromium extensions with full permissions, including Rilide, a stealer used by Russian-speaking threat actors since April 2023.

Attribution and Mitigation

Kaspersky has not attributed OkoBot to any known threat actor, but several clues point to Russian-speaking attackers. For example, the SeedHunter phishing pages contain Russian comments, and the Rilide stealer is known to be used in Russian-speaking cybercriminal circles. Additionally, the servers hosting the first-stage PowerShell scripts do not respond to Russian or CIS IP addresses, suggesting a deliberate attempt to avoid detection in those regions.

To protect against OkoBot, users should:

  • Be cautious when downloading software, especially from unofficial sources.
  • Monitor for suspicious scheduled tasks, such as Apple Sync.
  • Check for unauthorized modifications to system files like termsrv.dll.
  • Look for unusual SSH activity or hidden browser extensions.

Hardware wallet vendors like Ledger and Trezor have emphasized that their devices do not expose seed phrases to companion software. However, users should remain vigilant for phishing attempts and ensure that they only enter seed phrases when prompted by the hardware wallet itself.

Conclusion

OkoBot represents a significant threat to cryptocurrency security, particularly for hardware wallet users. Its sophisticated delivery mechanisms, advanced persistence techniques, and targeted surveillance tools highlight the growing complexity of modern malware. As the framework continues to evolve, users and security professionals must stay informed and proactive in defending against these emerging threats.