• Home  
  • OkoBot Malware Framework Targets Hardware Wallets with Seed Phrase Phishing
- Cybersecurity

OkoBot Malware Framework Targets Hardware Wallets with Seed Phrase Phishing

Kaspersky uncovers OkoBot’s SeedHunter module stealing recovery phrases from Ledger and Trezor apps, affecting hundreds across 25+ countries.

OkoBot Malware Framework Targets Hardware Wallets with Seed Phrase Phishing

On July 15, 2026 Kaspersky’s GReAT team reported that OkoBot has been active on Windows machines since April 2025, counting hundreds of victims across more than 25 countries. That’s the catch: the malware doesn’t attack the hardware wallet itself, it hijacks the companion software to phish the recovery phrase. That’s why the term hardware wallet phishing has suddenly become a headline concern for anyone who trusts Ledger or Trezor.

Key Takeaways

  • OkoBot’s SeedHunter module injects malicious pages into Ledger Live, Ledger Wallet, and Trezor Suite.
  • The framework carries over 20 payloads and remains active as of the July 15 report.
  • Victims span Brazil, Vietnam, Canada, Mexico, and Türkiye, reflecting a global reach.
  • Delivery relies on trojanized software masquerading as SQL Server Management Studio and a PowerShell downloader called TookPS.
  • No vendor patch exists; the attack lives on the endpoint, not the device.

Hardware Wallet Phishing: OkoBot’s SeedHunter Module

SeedHunter is the component that actually snatches the seed phrase. Once OkoBot lands on a PC, it watches for any of the three supported wallets and then hooks the Electron internals of the real app. That’s how it can draw a hard‑coded recovery page inside the genuine interface. If the C2 server sets a “Wait” flag, SeedHunter sits idle until a Ledger or Trezor is plugged in, scanning USB IDs by vendor and product. When the flag is off, the fake page pops up immediately.

How the Phishing Page Captures the Phrase

The malicious page isn’t a separate window; it lives inside the legitimate app. The typed phrase is intercepted by a console marker @:app:print, and the hooked mal_LogConsoleMessage function pulls it out. The data is then written as JSON with an RC4 copy dropped into a temporary file. That’s a clever way to bypass the wallet’s built‑in protection, because the hardware itself refuses to expose the private key, but the software still asks for the recovery phrase.

Delivery Vectors and Initial Infection

The framework arrives via two main routes. First, a ClickFix lure tricks users into downloading a trojanized GitHub repo that pretends to be SQL Server Management Studio. In reality it ships Audacity rebuilt with a malicious implant. Second, the repo distributes a PowerShell downloader named TookPS, which Kaspersky has tracked since March 2025. TookPS rides fake DeepSeek pages and bogus business‑software sites, then installs an SSH tunnel back to the attacker’s server.

Once the tunnel is live, the bot enumerates the box, grabs wallet files, browser cookies, and credentials, then silences Windows Defender with a registry write. It also opens the firewall for inbound RDP, adds a Remote Desktop Users account, and swaps termsrv.dll for a patched version that allows concurrent RDP sessions. A scheduled task called “Apple Sync” rebuilds the reverse SSH tunnel every hour.

The Bigger Malware Ecosystem Behind OkoBot

OkoBot isn’t a lone wolf; it pulls in modules over SFTP after the initial foothold. A VMProtect‑packed launcher named HDUtil runs these modules and can silently elevate them through a Windows RPC UAC bypass documented by Project Zero in 2019. The final delivery, called Volume2, is an open‑source utility carrying a malicious protobuf.dll that decrypts and launches the real payload: a plugin dispatcher polling its C2 every 20 seconds.

Kaspersky recovered five plugins, one of which is a process injector that plants SeedHunter into the wallet app. The rest of the kit focuses on surveillance. OkoSpyware watches for over 100 executables—including Exodus and 1Password—captures matching windows to MP4 using a bundled FFmpeg, and logs keystrokes. Browser titles get regex‑matched, so MetaMask or Tonkeeper tabs are recorded. A loader installs hidden Chromium extensions with every permission granted; the extension Rilide, a Chromium stealer used by Russian‑speaking threat actors since April 2023, is part of the payload.

Attribution and Geopolitical Signals

Kaspersky refuses to name an actor, stating, “we can’t attribute this malicious campaign to any known crimeware actor.” That’s a direct quote from the report. The first‑stage PowerShell servers return empty responses to Russian and CIS IPs, hinting at a possible effort to hide origin. SeedHunter phishing pages carry Russian comments, which the report treats as soft signals rather than hard attribution.

Rilide moves on invitation‑only Russian‑speaking forums, and the malicious GitHub repo advertised SQL Server Management Studio but shipped Audacity. Those clues suggest a Russian‑language underground ecosystem, but without a definitive fingerprint, Kaspersky stays cautious.

Defensive Gaps and Mitigations

There’s no CVE for the wallet software, and vendors haven’t released a patch that closes this route. Because the attack lands on the endpoint, the onus falls on users and IT teams to harden their machines. Disabling unsigned PowerShell scripts, restricting USB device auto‑launch, and monitoring for unusual Electron process injections can raise the bar. Endpoint detection platforms should flag the mal_LogConsoleMessage hook and the creation of temporary RC4‑encoded JSON files.

  • Enable Windows Defender Application Control to block unknown executables.
  • Audit scheduled tasks for names like “Apple Sync” that rebuild tunnels.
  • Restrict RDP access to known IP ranges and enforce MFA.
  • Monitor for the presence of termsrv.dll replacements.
  • Use hardware‑based USB authentication to stop unauthorized device triggers.

Developers building wallet integrations should consider sandboxing the UI layer and validating any external content before rendering. That’s a practical step that could prevent malicious Electron injection from compromising the UI.

What This Means For You

If you manage a devops team or run a startup that ships software to finance‑focused users, you need to treat any installer that claims to be a database tool with suspicion. The OkoBot campaign shows that even trusted‑looking installers can carry a sophisticated payload that waits for a hardware wallet to be plugged in. You should enforce code‑signing verification, scan binaries with multiple AV engines, and educate users to download only from official sources.

For developers building on top of Ledger or Trezor APIs, the lesson is clear: never rely on the desktop client’s UI alone for security. Implement additional checks, such as verifying the process tree, and consider prompting users to confirm actions via out‑of‑band channels. If you can’t guarantee the host environment, you’ll need to assume it can be compromised and design your recovery‑phrase handling accordingly.

Looking ahead, will hardware wallet manufacturers start bundling their own hardened UI layers, or will the industry lean on OS‑level protections to stop Electron‑based hijacks? The answer will shape the next wave of wallet security strategies.

Historical Context of Hardware Wallet Phishing

Hardware wallets have long been praised for keeping private keys offline. Early attacks focused on social engineering, coaxing users into revealing seed phrases through email scams or fake support chats. Those campaigns rarely touched the wallet software itself. Over time, attackers realized that the companion applications—Ledger Live, Trezor Suite, and similar tools—offer a convenient bridge between the offline device and the online world. By compromising that bridge, a threat actor can harvest the recovery phrase without ever touching the hardware.

The shift toward Electron‑based injection mirrors a broader trend in malware design. Since the mid‑2010s, many legitimate desktop apps have adopted Electron for cross‑platform UI development. This creates a common runtime environment that can be hijacked with relatively low effort. The OkoBot case is the first publicly documented instance where a seed‑phishing module exploits that runtime to appear inside the genuine wallet interface.

That evolution doesn’t happen in isolation. Prior to OkoBot, security researchers noted proof‑of‑concept tools that could inject malicious HTML into Electron windows. Those tools were largely academic, but they demonstrated the feasibility of the attack vector. OkoBot moves the idea from theory to large‑scale operation, targeting real users across continents.

Competitive Landscape and Vendor Responses

Ledger and Trezor dominate the consumer hardware wallet market, and both rely on Electron for their desktop clients. The report makes clear that neither vendor has issued a patch that directly addresses the SeedHunter injection path. This leaves the software layer exposed while the hardware itself remains uncompromised. Competitors that use native UI frameworks—such as Coldcard or BitBox—avoid the Electron attack surface altogether, though they still depend on companion software for firmware updates and transaction signing.

Vendors have responded with general hardening advice: keep operating systems updated, use reputable antivirus solutions, and avoid installing unsigned applications. Those recommendations are useful but don’t close the specific loophole that SeedHunter exploits. A more targeted response could involve code signing verification for all Electron modules, integrity checks of bundled resources, or the adoption of a sandboxed rendering process that isolates user‑generated content from the core wallet logic.

Industry analysts predict that the next wave of wallet security will blend hardware‑level guarantees with OS‑level isolation techniques. If vendors adopt such measures, the attack surface for future SeedHunter‑style campaigns could shrink dramatically. Until then, the onus remains on users to enforce strict endpoint hygiene.

Key Questions Remaining

  • Will the malware authors evolve SeedHunter to target additional wallets that use Electron, or will they shift to native‑based clients?
  • Can endpoint protection vendors develop signatures that reliably detect the mal_LogConsoleMessage hook without generating false positives?
  • What role will operating‑system hardening—such as Windows AppLocker or macOS Gatekeeper—play in limiting the initial infection vectors?
  • Will hardware wallet manufacturers release a dedicated, hardened UI component that runs outside the Electron runtime?
  • How will the broader crypto community balance usability with the need for stricter security controls on desktop clients?

Answers to these questions will shape the next chapter of wallet security. In the meantime, vigilance is the best defense.

Sources: The Hacker News, original report

About the Author

— AI & Technology Reporter

Halil Kale is an AI and technology reporter at AI Post Daily, where he covers artificial intelligence, machine learning, cybersecurity, and the business of tech. With a background in computer science and over five years of experience tracking the AI industry, Halil specializes in translating complex technical developments into clear, actionable insights for developers, founders, and technology professionals. He has reported on breakthroughs from Anthropic, OpenAI, Google DeepMind, and NVIDIA, as well as critical cybersecurity incidents and emerging robotics applications. Halil believes that understanding AI is no longer optional — it's essential for anyone working in or around technology. At AI Post Daily, he applies rigorous editorial standards to ensure every story is accurate, sourced, and genuinely useful to readers.

About AI Post Daily

Independent coverage of artificial intelligence, machine learning, cybersecurity, and the technology shaping our future.

Contact: Get in touch

We use cookies to personalize content and ads, and to analyze traffic. By using this site, you agree to our Privacy Policy.