OkoBot: new sophisticated malware framework targets cryptocurrency users

OkoBot: new sophisticated malware framework targets cryptocurrency users
Kaspersky identified the active OkoBot campaign, a multi-stage framework that uses TookPS, SSH tunneling, browser extension theft, keylogging, and spyware to steal cryptocurrency wallets and other credentials. The operation has evolved since 2025, now distributing over 20 payloads and targeting victims in more than 25 countries while remaining active. #TookPS #OkoBot #TeviRAT #Rilide #Volume2 #SeedHunter #OkoSpyware

Keypoints

  • OkoBot is a multi-stage malicious framework initiated by the TookPS PowerShell downloader and orchestrated through SSH tunneling.
  • The campaign has evolved since 2025, expanding from earlier payload delivery to a broader system with more than 20 malicious modules and implants.
  • Initial infection is delivered through ClickFix lures and fake software hosted on GitHub, including a disguised SSMS package.
  • The framework uses SSH bot access, RDP enablement, and Windows modifications to maintain persistence and retrieve modules via SFTP.
  • Malicious modules include a browser extension loader, a plugin dispatcher, a keylogger, and spyware focused on cryptocurrency wallets and browser data.
  • SeedHunter targets Trezor and Ledger devices, using phishing pages to steal seed phrases after detecting connected hardware wallets.
  • The campaign has affected hundreds of victims across more than 25 countries, with the largest concentration in Brazil, Vietnam, Canada, Mexico, and TĂźrkiye.

MITRE Techniques

  • [T1059.001] PowerShell – Used to launch TookPS and deliver payloads and exfiltration scripts (‘the execution of the malicious script TookPS’ / ‘receives a PowerShell exfiltration script as its payload’).
  • [T1105] Ingress Tool Transfer – Downloaded malicious modules and payloads via SFTP and attacker-controlled servers (‘the SSH bot begins retrieving malicious modules over SFTP’).
  • [T1021.004] Remote Services: SSH – Established an SSH tunnel and forwarded ports for remote access and module delivery (‘installs SSH on the victim’s system, establishes a connection to the attacker-controlled SSH server’).
  • [T1071.001] Application Layer Protocol: Web Protocols – The implant communicated with the C2 over HTTP/HTTPS (‘establishing communication with the C2 server via the HTTP protocol’ / ‘communicates with the C2 … over HTTPS’).
  • [T1112] Modify Registry – Disabled Windows Defender notifications through registry changes (‘disables Windows Defender notifications via a registry modification’).
  • [T1021.001] Remote Services: RDP – Opened firewall ports and configured Remote Desktop access for interactive control (‘Open firewall ports for inbound RDP traffic’).
  • [T1098] Account Manipulation – Created a user in the Remote Desktop Users group to gain access (‘Create a user in the “Remote Desktop Users” group’).
  • [T1547.009] Boot or Logon Autostart Execution: Shortcut Modification / Scheduled Task – Created a scheduled task to maintain a reverse SSH tunnel (‘Create a scheduled task named Apple Sync’).
  • [T1134.002] Access Token Manipulation: Create Process with Token – Used elevated execution with nouac to bypass UAC and run payloads (‘enables automatic UAC bypassing’).
  • [T1546.015] Event Triggered Execution: Component Object Model Hijacking / DLL Search Order Hijacking – Replaced termsrv.dll and used a malicious version.dll/protobuf.dll for execution (‘Replace the legitimate termsrv.dll with a patched one’).
  • [T1543.003] Create or Modify System Process: Windows Service – Installed/configured SSH to persist remote access (‘installs SSH on the victim’s system’).
  • [T1055] Process Injection – Injected implants into browser and wallet processes, and into legitimate processes via a process injector (‘injects a specialized implant’ / ‘launches additional malicious implants… by injecting them into legitimate processes’).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Suppressed Defender notifications and hid malicious browser extensions (‘disables Windows Defender notifications’ / ‘hide them from the user’).
  • [T1119] Automated Collection – Collected usernames, IP address, OS version, wallet files, cookies, profiles, and credentials (‘harvests cryptocurrency wallet files, browser cookies, profiles, and other credentials’).
  • [T1005] Data from Local System – Read local files and artifacts from %APPDATA% and temporary directories (‘scans the user’s %APPDATA% directory’).
  • [T1056.001] Input Capture: Keylogging – Recorded keystrokes in browser windows and applications (‘logging keystrokes within that window’).
  • [T1113] Screen Capture – Took screenshots and recorded video of application windows (‘creates a screenshot every five minutes’ / ‘capture an MP4 video of the window’).
  • [T1056.002] GUI Input Capture: GUI Input Capture – Hooked browser and Electron UI functions to intercept console messages and input (‘display a hard-coded phishing page’ / ‘mal_LogConsoleMessage’).
  • [T1115] Clipboard Data – Logged clipboard contents including text, files, and images (‘periodically checks various clipboard formats’).
  • [T1117] Browser Session Cookie – Harvested browser cookies and profiles (‘browser cookies, profiles, and other credentials’).
  • [T1027] Obfuscated Files or Information – Used VMProtect, packing, obfuscation, and encrypted payloads (‘heavily obfuscated’ / ‘protected with VMProtect’).
  • [T1027.013] Binary Padding / Encrypted/Encoded File – Stored payloads encrypted with AES GCM and RC4 (‘The payload is encrypted using AES GCM’ / ‘encrypted with the RC4 algorithm’).
  • [T1016] System Network Configuration Discovery – Collected system information including IP address, usernames, AV, and OS version (‘collects system information such as usernames, antivirus software installed, the IP address, and OS version’).
  • [T1082] System Information Discovery – Enumerated sessions, graphics adapters, processes, HWID, and device details (‘enumsessions provides a list of sessions’ / ‘Logging connected devices’).
  • [T1518.001] Software Discovery: Security Software Discovery – Identified installed antivirus software (‘antivirus software installed’).
  • [T1036] Masquerading – Disguised malicious software as SSMS and legitimate-looking GitHub content (‘masquerades as legitimate software’).

Indicators of Compromise

  • [Domains] C2, download, and infrastructure domains – 2baserec2[.]guru, recavb22[.]online, moonsand[.]store, and 2 more domains
  • [IPs] SSH bot and infection infrastructure – 104.243.43[.]16, 104.243.32[.]213, and 62.210.188[.]209
  • [File names] malicious loader, dispatcher, and payloads – HDUtil.exe, extl.exe, ext_daemon.exe, and 2 more files
  • [File paths] persistence, staging, and artifact locations – %USERPROFILE%.sshgo.bat, %PROGRAMDATA%hwid.dat, and 3 more paths
  • [File hashes] dispatcher, plugins, and implants – B07D451EE65A1580F20A784C8F0E7A46, 7306885BB4C98F2A9F056104CF092BC9, and 7 more hashes


Read more: https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/