Cyber Security

Kaspersky reveals the crypto wallet attack of 20 modules by OkoBot

Kaspersky has exposed OkoBot, a 20-year-old malware that uses about 20 modules to steal crypto wallet recovery phrases and affect users in at least five countries.

Summary

  • Kaspersky revealed OkoBot that uses about 20 modules to steal crypto wallet information.
  • The malware affected users in Brazil, Vietnam, Canada, Mexico, and Turkey.
  • OkoBot uses fake recovery screens, keylogging, spyware, and ClickFix commands to target victims.

Kaspersky researchers discovered that the malware remained active for more than a year, according to a report published by Bits.media. Most of the identified victims were located in Brazil, Vietnam, Canada, Mexico, and Turkey, while the operators blocked IP addresses from Russia and other countries of the Commonwealth of Independent States.

Distributed through GitHub repositories, OkoBot is disguised as official software, including Microsoft SQL Server Management Studio. Kaspersky discovered that the attackers relied on the ClickFix social engineering method, which tricks victims into running malicious commands on their devices.

The program often presents users with bogus error messages, verification steps, or repair instructions. Following those directions causes victims to execute code that installs malware without realizing that the command is malicious.

OkoBot targets seed phrases and bag details

Among the OkoBot modules, SeedHunter displays a fake recovery interface connected to hardware wallets such as Ledger and Trezor, according to Kaspersky. When users enter their recovery phrases on the fake screen, the module sends information to the malware’s operators.

A second module called MC Keylogger records keyboard input and monitors clipboard activity, allowing it to capture passwords, copied wallet addresses, and other credentials. OkoSpyware can track wallet passwords and record videos of open windows, giving attackers another way to view activity on an infected device.

Once the rescue phrase is exposed, attackers can use it to take control of the associated wallet and transfer its assets. Kaspersky warned that victims have little chance of recovering stolen cryptocurrency because blockchain transfers are usually irreversible.

The malware’s modular design also allows its operators to collect different types of information on a single infected system. According to the security company’s findings, OkoBot can identify both wallet access data and information connected to other services used on the device.

The ClickFix attack also targets crypto developers

OkoBot is the latest malware campaign discovered using ClickFix against the cryptocurrency sector. As crypto.news reported in April, North Korea’s state-backed Lazarus Group used a similar method in the macOS campaign known as “Mach-O Man.”

Citing research from CertiK, the report found that Lazaru sent fake online meeting invitations to fintech and crypto executives. Victims were instructed to paste so-called repair or authentication commands into macOS Terminal, which installed malware capable of stealing cryptocurrency and business information.

CertiK also discovered that Mach-O Man’s toolkit removed itself after the operation, making scientific analysis more difficult. The campaign combined social engineering with terminal-level commands instead of relying solely on downloading malicious files.

Developer tools have provided another route to crypto systems. In May, crypto.news reported that the TrapDoor malware was distributed in poisoned software packages targeting developers of cryptocurrency, decentralized finance, artificial intelligence, and security infrastructure.

According to that report, TrapDoor sought wallet data, API keys, cloud credentials, and SSH access tied to services and ecosystems including Coinbase, Binance, MetaMask, Brave, Solana, Sui, and Aptos. The researchers also found hidden commands designed to trick Claude and Cursor into running fake security scans that reveal secrets and pass them on to attackers.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button