Kaspersky has disclosed that a malware named OkoBot has been actively operating for over a year, primarily targeting the theft of cryptocurrency wallet seed phrases and login credentials. Researchers say this attack chain consists of approximately 20 modules, with victims identified in Brazil, Vietnam, Canada, Mexico, and Turkey.
Malware distributed via GitHub
Researchers say attackers distributed malicious programs disguised as legitimate software, including fake installers impersonating Microsoft SQL Server Management Studio. One distribution channel is GitHub repositories.
OkoBot also incorporates ClickFix social engineering tactics. Victims see forged error, verification, or repair prompts and are guided to execute commands on their devices. Once executed, the malware installs itself without the user’s knowledge.
Recovery page targets mnemonic phrase
Among the identified modules, SeedHunter displays a forged wallet recovery interface, impersonating pages related to hardware wallets such as Ledger and Trezor. If users enter their recovery phrase on the page, the information is sent directly to the attackers.
Another module, MC Keylogger, records keyboard input and monitors clipboard content, enabling the interception of passwords, copied wallet addresses, and other credentials. The module named OkoSpyware can also track wallet passwords and record videos of open windows, further expanding the scope of information leakage.
Kaspersky notes that once a mnemonic phrase is compromised, attackers can take control of the associated wallet and transfer its assets. Since blockchain transactions are typically irreversible, stolen funds are often difficult to recover.
Developers and executives are also targets.
The report also noted that similar ClickFix attacks have recently been used against individuals in the crypto industry. According to CertiK’s research, Lazarus sent forged online meeting invitations to executives at fintech and crypto companies, tricking victims into pasting so-called repair or verification commands in the macOS terminal, thereby installing data-stealing malware.
Additionally, developer tools have become an entry point for attacks. Previously disclosed malware, TrapDoor, was distributed through compromised software packages, targeting developers in cryptocurrency, DeFi, AI, and security infrastructure, aiming to steal wallet data, API keys, cloud credentials, and SSH access rights.
These cases show that attackers are no longer relying solely on single phishing pages; instead, they are combining spoofed software, social engineering instructions, and multi-module data-stealing tools to expand their infiltration of wallet assets and enterprise systems.





