Kaspersky revealed a sophisticated malware named OkoBot that leverages around 20 modules to steal cryptocurrency wallet recovery phrases and credentials. The operation has impacted users primarily in Brazil, Vietnam, Canada, Mexico, and Turkey over the past year.
Modular Malware Design and Distribution Methods
OkoBot is distributed via GitHub repositories disguised as legitimate applications, including Microsoft SQL Server Management Studio. It employs a social engineering tactic known as ClickFix, which deceives victims into running harmful commands by displaying counterfeit error messages and repair instructions. These commands install the malware without the user’s awareness. The operators specifically block IP addresses from Russia and other Commonwealth of Independent States countries.
Capabilities and Targeted Data
Among OkoBot’s modules, SeedHunter presents a fake recovery interface for hardware wallets like Ledger and Trezor to capture recovery phrases. Another module, MC Keylogger, records keystrokes and clipboard activity to harvest passwords and wallet addresses. The OkoSpyware module records video of active windows and monitors wallet passwords to further observe the victim’s device. Once recovery phrases are compromised, attackers gain control over wallets and can transfer funds, which victims cannot reverse due to blockchain immutability.
Context and Related Threats
Kaspersky’s findings show that OkoBot targets both wallet access information and credentials related to other services on the infected system. The use of ClickFix in crypto attacks is not isolated to OkoBot, as previous campaigns such as North Korea’s Lazarus Group’s Mach-O Man also exploited this technique to compromise macOS users in the cryptocurrency sector.
This material is for informational purposes only and does not constitute financial advice.



