OkoBot framework infection chain
In January 2026, researchers identified a sophisticated malware framework dubbed OkoBot that targets cryptocurrency users through a multi-stage infection chain. The campaign begins with TookPS PowerShell scripts delivered via ClickFix attacks or fake software on GitHub. An automated SSH bot deploys over 20 malicious modules including HDUtil launcher, browser extension injectors installing Rilide stealer, and specialized tools like SeedHunter for wallet seed phrase theft and OkoSpyware for window capture. The framework uses VMProtect obfuscation, UAC bypass techniques, and maintains persistence through RDP access and scheduled tasks. Victims span more than 25 countries with concentrations in Brazil, Vietnam, Canada, Mexico, and Turkey. Attribution suggests Russian-speaking threat actors based on geoblocking patterns and Russian language artifacts.
Indicators of Compromise
- domain: coffeesaloon.online
- domain: livewallpapers.online
- domain: 2baserec2.guru
- domain: kbeautyreviews.com
- hash: b07d451ee65a1580f20a784c8f0e7a46
- hash: 187a1f68ae786e53d3831166dc84e6d2
- hash: d84e8dc509308523e0209d3cd3544619
- hash: 83e6b8fcb92a0b13e109301f8ff649cf
- hash: 7306885bb4c98f2a9f056104cf092bc9
- hash: b4c2e16cdb513be4dc798f88e2527334
- hash: 2157d2429124ad28db7a26f2477cb985
- hash: 77cecf5e2a622ae07d8ae9913457ab57
- hash: e0c3bc27a65750e740c4f1719e531c7d
- hash: 3d2b43f91f65bfbf36a9c71b6b418876
- hash: 70fef9fd6e351f4d53cfeee8dcdfcd99
- hash: acd31c9941b6c1cabd4e45e6877b9038
- hash: dd52f5108a176c62ad807c327734ad12
- hash: ac93a821617aea1f56d4bc0bef4af327
- hash: 11dbc8a2bea04b15f8f68f3f01e8faf9
- domain: recavb22.online
- domain: thatwascringe.com
OkoBot framework infection chain
Description
In January 2026, researchers identified a sophisticated malware framework dubbed OkoBot that targets cryptocurrency users through a multi-stage infection chain. The campaign begins with TookPS PowerShell scripts delivered via ClickFix attacks or fake software on GitHub. An automated SSH bot deploys over 20 malicious modules including HDUtil launcher, browser extension injectors installing Rilide stealer, and specialized tools like SeedHunter for wallet seed phrase theft and OkoSpyware for window capture. The framework uses VMProtect obfuscation, UAC bypass techniques, and maintains persistence through RDP access and scheduled tasks. Victims span more than 25 countries with concentrations in Brazil, Vietnam, Canada, Mexico, and Turkey. Attribution suggests Russian-speaking threat actors based on geoblocking patterns and Russian language artifacts.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/"]
- Adversary
- null
- Pulse Id
- 6a5775d2afd24bb0357b62c1
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaincoffeesaloon.online | — | |
domainlivewallpapers.online | — | |
domain2baserec2.guru | — | |
domainkbeautyreviews.com | — | |
domainrecavb22.online | — | |
domainthatwascringe.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashb07d451ee65a1580f20a784c8f0e7a46 | — | |
hash187a1f68ae786e53d3831166dc84e6d2 | — | |
hashd84e8dc509308523e0209d3cd3544619 | — | |
hash83e6b8fcb92a0b13e109301f8ff649cf | — | |
hash7306885bb4c98f2a9f056104cf092bc9 | — | |
hashb4c2e16cdb513be4dc798f88e2527334 | — | |
hash2157d2429124ad28db7a26f2477cb985 | — | |
hash77cecf5e2a622ae07d8ae9913457ab57 | — | |
hashe0c3bc27a65750e740c4f1719e531c7d | — | |
hash3d2b43f91f65bfbf36a9c71b6b418876 | — | |
hash70fef9fd6e351f4d53cfeee8dcdfcd99 | — | |
hashacd31c9941b6c1cabd4e45e6877b9038 | — | |
hashdd52f5108a176c62ad807c327734ad12 | — | |
hashac93a821617aea1f56d4bc0bef4af327 | — | |
hash11dbc8a2bea04b15f8f68f3f01e8faf9 | — |
Threat ID: 6a58000568715ace438b1866
Added to database: 07/15/2026, 21:47:49 UTC
Last updated: 07/15/2026, 21:47:49 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.