To deploy OkoBot on victims' devices, attackers use a technique called ClickFix—a social engineering method that tricks users into executing malicious commands. OkoBot is also distributed through fake GitHub repositories disguised as legitimate software tools.
In one such repository, the tool SQL Server Management Studio (SSMS) was offered—but in reality, it was a version of the audio editor Audacity infected with a Trojan, Kaspersky specialists reported. They clarified that OkoBot has been active for over a year, distributing the PowerShell script TookPS.
TookPS is used in the first stage to install and configure the SSH bot that distributes malicious components. The SSH bot collects data on the username, antivirus software, IP address, and operating system version, and disables Windows Defender notifications. Additionally, the bot gathers information about cryptocurrency wallets, browser cookies, and credentials.
Experts identified the modules used by OkoBot in its attacks:
ext daemon/extl.exe: This module is injected into Chrome browsers to silently install and conceal the Rilide extension, which targets the collection of credentials, cookies, financial information, and cryptocurrency-related data.
SeedHunter: Being integrated into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake screen during seed phrase recovery.
MC Keylogger: records keystrokes and clipboard activity, including copied text, images, and file paths. The module can also monitor USB connections and take screenshots every five minutes.
OkoSpyware: tracks cryptocurrency wallet passwords and also uses FFmpeg to record video of their windows and capture keystrokes.
If attackers gain access to the seed phrase, they obtain full control over the victim’s crypto assets. In such cases, hackers typically transfer the funds to addresses they control, making it nearly impossible to recover the stolen cryptocurrency.
Kaspersky claims that the majority of OkoBot victims are located in Brazil, Vietnam, Canada, Mexico, and Turkey. The exact amount of stolen funds is not disclosed. Kaspersky researchers observed that access to servers hosting PowerShell scripts for the initial attack stage is blocked for IP addresses from Russia and CIS countries.
Last year, experts from ScamSniffer identified a new tactic used by scammers to steal seed phrases from Phantom Wallet users. Hackers create malicious pop-ups claiming to “update the extension.” After approval, potential victims are prompted to enter their seed phrase.





