OkoBot is a Windows malware framework active since April 2025 that uses its SeedHunter module to steal hardware wallet recovery phrases by injecting fake recovery pages into legitimate Ledger Live, Ledger Wallet, and Trezor Suite software. Kaspersky found hundreds of victims across more than 25 countries, with notable concentration in Brazil, Vietnam, Canada, Mexico, and TΓΌrkiye, while the broader toolkit also enables SSH tunneling, RDP access, credential theft, and additional spyware implants. #OkoBot #SeedHunter #LedgerLive #LedgerWallet #TrezorSuite #Kaspersky #GReAT #TookPS #Rilide #Exodus #1Password
Keypoints
- OkoBot has been active on Windows machines since April 2025.
- Its SeedHunter module steals recovery phrases from Ledger and Trezor users.
- The fake recovery page is drawn inside the real wallet app interface.
- Kaspersky observed hundreds of victims in more than 25 countries.
- The framework also uses SSH tunnels, RDP persistence, and spyware modules.
Read More: https://thehackernews.com/2026/07/okobot-malware-framework-injects-seed.html