The new sophisticated framework employs TookPS to exfiltrate seed phrases and uses a new OkoSpyware module to monitor Chromium-based browsers and deploy various malware strains, including the Rilide stealer. It has already targeted hundreds of victims across over 25 countries, with the highest number of affected end users recorded in Brazil, Vietnam, Canada, Mexico and Türkiye. According to Kaspersky experts, the threat remains active and primarily poses a risk to cryptocurrency users.
In January 2026, experts from the Kaspersky Global Research and Analysis Team (GReAT) experts identified multiple attacks involving a previously unknown malware capable of capturing the contents of cryptocurrency wallet windows. Dubbed Okobot, the new sophisticated malware framework comprises more than 20 malicious payloads and implants designed to perform a wide range of functions, including collecting local files, executing remote commands, downloading arbitrary browser extensions, stealing cryptocurrency wallets, harvesting seed phrases and credentials, recording video and carrying out other malicious activities. One of the new implants used in the campaign is a loader that modifies browser memory to load and hide malicious extensions. OkoBot also includes a new OkoSpyware module, which captures keystrokes and the video stream of a target application's window.
Currently
available information does not allow the campaign to be attributed to any known
crimeware actor with high confidence. However, the techniques and infostealer
involved are widely used by Russian-speaking threat actors, and technical
analysis has also revealed code artifacts in Russian.
The initial
infection typically occurs through two main vectors: ClickFix attacks, in which
threat actors use social engineering to trick users into running malicious
code, and malware distributed via GitHub under the guise of legitimate
software. During the investigation, researchers identified one such case
involving a fake installer for SQL Server Management Studio (SSMS), a widely
used Microsoft database management tool.
The
malicious framework includes SeedHunter, a malware component that monitors
active system processes and injects an implant into Trezor Suite, Ledger
Wallet, and Ledger Live, - official applications used to manage cryptocurrency
assets. When it detects a connected Trezor or Ledger hardware wallet, it
triggers the hooked functions to display a hard-coded phishing page aimed at
stealing the user’s seed phrase, using a distinct layout for each wallet type.
“The
OkoBot campaign has been active for more than a year and remained ongoing as of
July 2026. The observed infection vectors strongly suggest that developers are
among its primary targets. Of particular concern is the malware’s continued
evolution, which indicates that the framework is being actively maintained. As
distribution efforts persist, the campaign has the potential to reach more
users and expand into additional countries in the near term,” says Dmitry Galov, Head of the
Russia and CIS unit at Kaspersky Global Research and Analysis Team.
The full report is available on securelist.com.
To stay safe, Kaspersky GReAT experts recommend users:
- Never follow instructions from unverified sources to deploy unknown code on a device, whether given directly or found in guides. Attackers often use this tactic to infect systems, which can lead to data loss and even loss of control over the device.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent an infection.
- Manage sensitive data securely: avoid storing passwords or recovery phrases in your photo gallery or notes; instead, use a dedicated, trusted password manager such as Kaspersky Password Manager.
- Never disable antivirus or security tools to install software and exercise caution when downloading game mods, cheats or third-party utilities.
- Keep operating systems and applications updated, use strong, unique passwords and enable multi-factor authentication wherever possible.
About
the Global Research & Analysis Team
Established
in 2008, Global Research & Analysis Team (GReAT) operates at the very heart
of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware,
ransomware and underground cyber-criminal trends across the world. Today GReAT
consists of 35+ experts working globally – in Europe, Russia, Latin America,
Asia and the Middle East. Talented security professionals provide company
leadership in anti-malware research and innovation, bringing unrivaled
expertise, passion and curiosity to the discovery and analysis of cyberthreats.