№197|06:24 PM ET
Independent reporting on technology, markets & policy
TechEchelon
№01 / Anchor·CYBERSECURITY

New OkoBot Malware Framework Deploys 20 Payloads to Steal Cryptocurrency and Credentials

A new malware framework called OkoBot deploys more than 20 payloads to steal cryptocurrency wallet seed phrases, browser credentials, and other sensitive data, with Kaspersky linking the campaign to a Russian-speaking threat actor active since at least March 2025.

TE
TechEchelon Staff
JUL 16, 2026 · 05:02 PM ET · 2 MIN READ
via Wikipedia (Kaspersky Lab)

A newly identified malware framework called OkoBot is targeting cryptocurrency users and credential holders through a multi-stage attack chain that delivers more than 20 distinct malicious payloads, according to researchers at Kaspersky.

The campaign has been active for more than a year, Kaspersky said, and evolved from earlier activity tied to a malicious PowerShell script known as TookPS. While OkoBot retains TookPS as a first-phase component, the broader infection chain has been entirely rebuilt around a modular architecture that makes it significantly more capable than its predecessor.

OkoBot reaches victims through two primary vectors: ClickFix attacks and malicious GitHub repositories masquerading as legitimate software tools. In one documented case, a repository claimed to offer SQL Server Management Studio but instead delivered a trojanized version of the Audacity audio editing tool.

Once executed, TookPS installs and configures an SSH bot that serves as the framework's backbone. That bot collects system details — including username, antivirus software, IP address, and operating system version — disables Windows Defender notifications, and harvests cryptocurrency wallet files, browser cookies, and account credentials before deploying additional modules.

Among the most notable components Kaspersky identified are SeedHunter, which injects into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake seed-recovery screen designed to capture wallet recovery phrases; an extension daemon that injects into Chrome browsers to silently install and conceal malicious extensions, including one called Rilide that targets credentials, cookies, and financial data; MC Keylogger, which records keystrokes, clipboard activity, copied images, and file paths while also taking screenshots every five minutes; and OkoSpyware, which monitors 100 programs including cryptocurrency wallets and password managers, using FFmpeg to record video of their windows.

The theft of a wallet recovery phrase is particularly severe, as it grants full access to a user's cryptocurrency holdings with virtually no possibility of recovery once funds are transferred.

Kaspersky telemetry places the majority of OkoBot victims in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, though the firm described the campaign's reach as global. Activity was first observed in January 2026, building on TookPS infrastructure that dates to March 2025.

Kaspersky declined to formally attribute OkoBot to a specific threat actor but noted several indicators pointing toward a Russian-speaking group. Payloads are not delivered to IP addresses originating from Russia or the Commonwealth of Independent States — the servers return an empty response instead. Researchers also found Russian-language comments in the source code of the SeedHunter module, and the campaign makes use of an infostealer actively promoted on invitation-only Russian cybercrime forums.

A sixth gathering of the bilateral China-Russia Military-Technical Cooperation Forum is scheduled for later this year in St. Petersburg, according to separate reporting — a reminder that state-sponsored threat actors continue to organize even as criminal frameworks like OkoBot proliferate independently.

Kaspersky published a set of indicators of compromise covering hashes for malicious plugins, injector payloads, SSH bot utilities, file paths, domains, and IP addresses to assist defenders in detection and response.

TE
━ ABOUT THE BYLINE
TechEchelon Staff

TechEchelon Staff bylines are produced collectively by the newsroom for short, breaking, and wire-style coverage. Longer-form reporting is published under the responsible reporter's name.

More from the Staff
● THE BRIEF · DAILY NEWSLETTER

Five stories every morning. Before the opening bell.

Written for readers who already know the basics — markets, AI, and the policy decisions that shape both.

Mon — Fri · 06:30 ET · Free

No spam · Unsubscribe anytime