Kaspersky identified the active OkoBot campaign, a multi-stage framework that uses TookPS, SSH tunneling, browser extension theft, keylogging, and spyware to steal cryptocurrency wallets and other credentials. The operation has evolved since 2025, now distributing over 20 payloads and targeting victims in more than 25 countries while remaining active. #TookPS #OkoBot #TeviRAT #Rilide #Volume2 #SeedHunter #OkoSpyware
Keypoints
- OkoBot is a multi-stage malicious framework initiated by the TookPS PowerShell downloader and orchestrated through SSH tunneling.
- The campaign has evolved since 2025, expanding from earlier payload delivery to a broader system with more than 20 malicious modules and implants.
- Initial infection is delivered through ClickFix lures and fake software hosted on GitHub, including a disguised SSMS package.
- The framework uses SSH bot access, RDP enablement, and Windows modifications to maintain persistence and retrieve modules via SFTP.
- Malicious modules include a browser extension loader, a plugin dispatcher, a keylogger, and spyware focused on cryptocurrency wallets and browser data.
- SeedHunter targets Trezor and Ledger devices, using phishing pages to steal seed phrases after detecting connected hardware wallets.
- The campaign has affected hundreds of victims across more than 25 countries, with the largest concentration in Brazil, Vietnam, Canada, Mexico, and TĂźrkiye.
MITRE Techniques
- [T1059.001] PowerShell â Used to launch TookPS and deliver payloads and exfiltration scripts (âthe execution of the malicious script TookPSâ / âreceives a PowerShell exfiltration script as its payloadâ).
- [T1105] Ingress Tool Transfer â Downloaded malicious modules and payloads via SFTP and attacker-controlled servers (âthe SSH bot begins retrieving malicious modules over SFTPâ).
- [T1021.004] Remote Services: SSH â Established an SSH tunnel and forwarded ports for remote access and module delivery (âinstalls SSH on the victimâs system, establishes a connection to the attacker-controlled SSH serverâ).
- [T1071.001] Application Layer Protocol: Web Protocols â The implant communicated with the C2 over HTTP/HTTPS (âestablishing communication with the C2 server via the HTTP protocolâ / âcommunicates with the C2 ⌠over HTTPSâ).
- [T1112] Modify Registry â Disabled Windows Defender notifications through registry changes (âdisables Windows Defender notifications via a registry modificationâ).
- [T1021.001] Remote Services: RDP â Opened firewall ports and configured Remote Desktop access for interactive control (âOpen firewall ports for inbound RDP trafficâ).
- [T1098] Account Manipulation â Created a user in the Remote Desktop Users group to gain access (âCreate a user in the âRemote Desktop Usersâ groupâ).
- [T1547.009] Boot or Logon Autostart Execution: Shortcut Modification / Scheduled Task â Created a scheduled task to maintain a reverse SSH tunnel (âCreate a scheduled task named Apple Syncâ).
- [T1134.002] Access Token Manipulation: Create Process with Token â Used elevated execution with nouac to bypass UAC and run payloads (âenables automatic UAC bypassingâ).
- [T1546.015] Event Triggered Execution: Component Object Model Hijacking / DLL Search Order Hijacking â Replaced termsrv.dll and used a malicious version.dll/protobuf.dll for execution (âReplace the legitimate termsrv.dll with a patched oneâ).
- [T1543.003] Create or Modify System Process: Windows Service â Installed/configured SSH to persist remote access (âinstalls SSH on the victimâs systemâ).
- [T1055] Process Injection â Injected implants into browser and wallet processes, and into legitimate processes via a process injector (âinjects a specialized implantâ / âlaunches additional malicious implants⌠by injecting them into legitimate processesâ).
- [T1562.001] Impair Defenses: Disable or Modify Tools â Suppressed Defender notifications and hid malicious browser extensions (âdisables Windows Defender notificationsâ / âhide them from the userâ).
- [T1119] Automated Collection â Collected usernames, IP address, OS version, wallet files, cookies, profiles, and credentials (âharvests cryptocurrency wallet files, browser cookies, profiles, and other credentialsâ).
- [T1005] Data from Local System â Read local files and artifacts from %APPDATA% and temporary directories (âscans the userâs %APPDATA% directoryâ).
- [T1056.001] Input Capture: Keylogging â Recorded keystrokes in browser windows and applications (âlogging keystrokes within that windowâ).
- [T1113] Screen Capture â Took screenshots and recorded video of application windows (âcreates a screenshot every five minutesâ / âcapture an MP4 video of the windowâ).
- [T1056.002] GUI Input Capture: GUI Input Capture â Hooked browser and Electron UI functions to intercept console messages and input (âdisplay a hard-coded phishing pageâ / âmal_LogConsoleMessageâ).
- [T1115] Clipboard Data â Logged clipboard contents including text, files, and images (âperiodically checks various clipboard formatsâ).
- [T1117] Browser Session Cookie â Harvested browser cookies and profiles (âbrowser cookies, profiles, and other credentialsâ).
- [T1027] Obfuscated Files or Information â Used VMProtect, packing, obfuscation, and encrypted payloads (âheavily obfuscatedâ / âprotected with VMProtectâ).
- [T1027.013] Binary Padding / Encrypted/Encoded File â Stored payloads encrypted with AES GCM and RC4 (âThe payload is encrypted using AES GCMâ / âencrypted with the RC4 algorithmâ).
- [T1016] System Network Configuration Discovery â Collected system information including IP address, usernames, AV, and OS version (âcollects system information such as usernames, antivirus software installed, the IP address, and OS versionâ).
- [T1082] System Information Discovery â Enumerated sessions, graphics adapters, processes, HWID, and device details (âenumsessions provides a list of sessionsâ / âLogging connected devicesâ).
- [T1518.001] Software Discovery: Security Software Discovery â Identified installed antivirus software (âantivirus software installedâ).
- [T1036] Masquerading â Disguised malicious software as SSMS and legitimate-looking GitHub content (âmasquerades as legitimate softwareâ).
Indicators of Compromise
- [Domains] C2, download, and infrastructure domains â 2baserec2[.]guru, recavb22[.]online, moonsand[.]store, and 2 more domains
- [IPs] SSH bot and infection infrastructure â 104.243.43[.]16, 104.243.32[.]213, and 62.210.188[.]209
- [File names] malicious loader, dispatcher, and payloads â HDUtil.exe, extl.exe, ext_daemon.exe, and 2 more files
- [File paths] persistence, staging, and artifact locations â %USERPROFILE%.sshgo.bat, %PROGRAMDATA%hwid.dat, and 3 more paths
- [File hashes] dispatcher, plugins, and implants â B07D451EE65A1580F20A784C8F0E7A46, 7306885BB4C98F2A9F056104CF092BC9, and 7 more hashes
Read more: https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/