Kaspersky uncovers 'OkoBot', a new malware framework bundling over 20 tools to steal crypto wallet seed phrases
Security researchers at Kaspersky have discovered 'OkoBot,' a new malware framework that packs more than 20 attack tools designed to exfiltrate sensitive data and crypto wallet credentials.
Kaspersky’s Global Research and Analysis Team (GReAT) has exposed 'OkoBot,' a sophisticated malware framework that has been targeting Windows users since April 2025, with major activity identified in January 2026.
OkoBot functions as a modular platform rather than a single threat, capable of deploying over 20 malicious payloads. Its capabilities range from credential and financial data theft to its primary objective: harvesting seed phrases from cryptocurrency wallets.
The malware spreads primarily through two methods: 'ClickFix' attacks that trick users into executing malicious code, and distribution via GitHub by masquerading as legitimate software. Researchers identified instances where it was bundled with fake installers for Microsoft's SQL Server Management Studio (SSMS), leading unsuspecting users to install the malware.
One of the most dangerous components is the 'SeedHunter' module. It monitors for the execution of popular wallet software, including Trezor Suite, Ledger Wallet, and Ledger Live. Once detected, it injects a custom-built phishing window tailored to the specific brand, designed to trick users into revealing their seed phrases.
To date, hundreds of victims have been reported across 25 countries, with the highest concentrations in Brazil, Vietnam, Canada, Mexico, and Turkey. The identity of the threat actors behind OkoBot remains unknown.
While Thailand is not currently among the top-affected regions, the malware's reliance on fake software distribution poses a significant risk to the general public. As Thailand has a large base of crypto users, individuals should exercise extreme caution when downloading software from untrusted sources.