Malware

OkoBot malware targets hardware wallet users with recovery phrase phishing

A malware framework known as OkoBot has been actively targeting Windows users since April 2025, with a specific module designed to steal recovery phrases from hardware cryptocurrency wallet owners. The attack involves injecting malicious code into legitimate wallet software, tricking users into revealing their sensitive recovery information, as reported by The Hacker News.

The OkoBot framework, particularly its SeedHunter module, targets popular hardware wallets like Ledger and Trezor. Once a user's PC is infected, OkoBot monitors for the launch of wallet applications such as Trezor Suite, Ledger Wallet, or Ledger Live. It then injects itself into these applications and can either immediately display a fake recovery phrase input page or wait until a hardware wallet device is connected. The fake page mimics the legitimate wallet interface, prompting users to enter their recovery phrase, which is then captured by the malware. The hardware wallet itself remains secure, but the companion software is exploited to trick the user. The malware is distributed through various methods, including phishing lures and trojanized software disguised as legitimate applications like SQL Server Management Studio on GitHub.

After initial infection, a PowerShell downloader called TookPS is executed, which establishes an SSH connection to an attacker-controlled server. This allows for the exfiltration of sensitive data, including wallet files, browser profiles, and credentials. OkoBot also deploys other modules for surveillance, keylogging, and installing malicious browser extensions, such as Rilide. While the specific threat actor remains unknown, indicators of compromise include specific scheduled tasks, altered system files, and hidden browser extensions.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds