New OkoBot framework deploys 20 payloads to steal data, crypto
OkoBot is a malicious framework delivering over 20 payloads aimed at stealing cryptocurrency wallet seed phrases, credentials, and sensitive data. It spreads via ClickFix attacks and trojanized GitHub repositories. The infection chain involves multiple stages, starting with a PowerShell script that installs an SSH bot to collect system info and disable Windows Defender notifications. Key modules include browser injectors, fake seed phrase prompts targeting hardware wallets, keyloggers, and spyware that records video and keystrokes. The campaign has been active since early 2025 with a global reach, primarily impacting Brazil, Vietnam, Canada, Mexico, and Turkey. Indicators of compromise and detailed telemetry are available from Kaspersky. No official patch or remediation is noted.
AI Analysis
Technical Summary
OkoBot is a multi-stage malware framework that deploys more than 20 payloads to steal cryptocurrency wallet recovery phrases, credentials, and other sensitive information. It initially infects victims through ClickFix attacks or malicious GitHub repositories distributing trojanized software. The infection chain begins with a PowerShell script (TookPS) that installs an SSH bot responsible for system reconnaissance and disabling Windows Defender notifications. Notable payloads include browser injectors that silently install malicious extensions, modules that fake seed recovery screens for hardware wallets like Trezor and Ledger, keyloggers capturing keystrokes and clipboard data, and spyware that records video of targeted applications. The campaign has been ongoing since March 2025 and shows geoblocking of IPs from Russia and CIS countries, with Russian-language code comments suggesting a Russian-speaking threat actor. Kaspersky provides indicators of compromise including hashes, file paths, domains, and IP addresses. There is no vendor advisory or patch information available.
Potential Impact
The OkoBot framework enables attackers to steal cryptocurrency wallet seed phrases, which grant full access to victims' cryptocurrency assets, allowing irreversible theft. It also compromises credentials, browser cookies, and other sensitive data, potentially leading to broader account takeovers and financial losses. The malware disables Windows Defender notifications, reducing the likelihood of detection. The campaign affects users globally, with a concentration in Brazil, Vietnam, Canada, Mexico, and Turkey. The multi-stage infection and variety of payloads increase the complexity and effectiveness of the attacks.
Mitigation Recommendations
No official patch or remediation is currently available for OkoBot. Security teams should rely on the indicators of compromise published by Kaspersky to detect and block infections. Since the malware disables Windows Defender notifications, additional endpoint detection and response (EDR) solutions and network monitoring may help identify suspicious activity. Users should avoid downloading software from untrusted sources, especially trojanized repositories on GitHub, and be cautious of unsolicited links or ClickFix attacks. Regular backups and strong multi-factor authentication for cryptocurrency wallets are recommended to mitigate potential losses.
Affected Countries
Brazil, Vietnam, Canada, Mexico, Turkey
New OkoBot framework deploys 20 payloads to steal data, crypto
Description
OkoBot is a malicious framework delivering over 20 payloads aimed at stealing cryptocurrency wallet seed phrases, credentials, and sensitive data. It spreads via ClickFix attacks and trojanized GitHub repositories. The infection chain involves multiple stages, starting with a PowerShell script that installs an SSH bot to collect system info and disable Windows Defender notifications. Key modules include browser injectors, fake seed phrase prompts targeting hardware wallets, keyloggers, and spyware that records video and keystrokes. The campaign has been active since early 2025 with a global reach, primarily impacting Brazil, Vietnam, Canada, Mexico, and Turkey. Indicators of compromise and detailed telemetry are available from Kaspersky. No official patch or remediation is noted.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OkoBot is a multi-stage malware framework that deploys more than 20 payloads to steal cryptocurrency wallet recovery phrases, credentials, and other sensitive information. It initially infects victims through ClickFix attacks or malicious GitHub repositories distributing trojanized software. The infection chain begins with a PowerShell script (TookPS) that installs an SSH bot responsible for system reconnaissance and disabling Windows Defender notifications. Notable payloads include browser injectors that silently install malicious extensions, modules that fake seed recovery screens for hardware wallets like Trezor and Ledger, keyloggers capturing keystrokes and clipboard data, and spyware that records video of targeted applications. The campaign has been ongoing since March 2025 and shows geoblocking of IPs from Russia and CIS countries, with Russian-language code comments suggesting a Russian-speaking threat actor. Kaspersky provides indicators of compromise including hashes, file paths, domains, and IP addresses. There is no vendor advisory or patch information available.
Potential Impact
The OkoBot framework enables attackers to steal cryptocurrency wallet seed phrases, which grant full access to victims' cryptocurrency assets, allowing irreversible theft. It also compromises credentials, browser cookies, and other sensitive data, potentially leading to broader account takeovers and financial losses. The malware disables Windows Defender notifications, reducing the likelihood of detection. The campaign affects users globally, with a concentration in Brazil, Vietnam, Canada, Mexico, and Turkey. The multi-stage infection and variety of payloads increase the complexity and effectiveness of the attacks.
Mitigation Recommendations
No official patch or remediation is currently available for OkoBot. Security teams should rely on the indicators of compromise published by Kaspersky to detect and block infections. Since the malware disables Windows Defender notifications, additional endpoint detection and response (EDR) solutions and network monitoring may help identify suspicious activity. Users should avoid downloading software from untrusted sources, especially trojanized repositories on GitHub, and be cautious of unsolicited links or ClickFix attacks. Regular backups and strong multi-factor authentication for cryptocurrency wallets are recommended to mitigate potential losses.
Threat ID: 6a592e4f68715ace4390bcba
Added to database: 07/16/2026, 19:17:35 UTC
Last enriched: 07/16/2026, 19:17:54 UTC
Last updated: 07/17/2026, 03:39:32 UTC
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.