Cyber Security

OkoBot Malware Framework Injects Criminal Seed Tokens into Ledger and Trezor Applications

A malware framework called For Bot it has been running on Windows machines since April 2025, and one of its modules is designed to integrate hardware wallet owners into their recovery sentence.

On an infected PC, the request appears within the wallet’s desktop software. Sometimes it waits until you connect the device first. The page is malicious. The app around is the actual one you put in, and the phrase is the wallet.

Kaspersky’s GReAT team published the teardown on Wednesday, listing hundreds of victims in its telemetry in more than 25 countries. The largest share of affected users in Brazil, Vietnam, Canada, Mexico, and Türkiye.

How many of them typed the phrase, the report does not say. OkoBot carries more than 20 payloads and attachments and was still active as of the July 15 report.

SeedHunter is waiting for the device

SeedHunter is an OkoBot module that steals a sentence. Once the framework arrives, it watches Trezor Suite, Ledger Wallet, and Ledger Live, injects any it finds, and connects to Electron’s internal application. Then it asks its C2 to moonsand[.]store.

If the server sets the i Wait tag, SeedHunter scans the USB for vendor and product ID and remains static until a real Ledger or Trezor is connected. Only then does it draw a hard-coded recovery page, one layout per product. If the flag is disabled, the page appears faster. The typed phrase goes to the page console after an @:app:print tag, and hook mal_LogConsoleMessage he picked it up. It goes as JSON, with an RC4 copy placed in a temporary file.

The hardware bag is not breakable. It does the one thing it was designed for, which is to refuse to let go of the key, and it can’t stop the accompanying software from asking you for a phrase instead.

There is no half a new trick. Moonlock Lab tracked down the macOS hackers who made the swap version, and THN covered those Ledger Live bundled apps: AMOS killed Ledger Live and dropped the featured clone /Applications looking for 24 voices.

GlassWorm makes a USB boot into Windows in March, uses WMI to detect the device, then throws its window up after killing the actual application. What SeedHunter changes is where the page is pulled. It leaves the application running and draws within it.

SSMS Was Actually Audacity

Two main methods: ClickFix lure, and trojanized software on GitHub. The repo Kaspersky distributed SQL Server Management Studio. The one he sent was Audacity, an audio editor, rebuilt with a malicious implant inside one of its libraries. It is ranked at the top of the SSMS. It lasted from late March 2025 to June.

Both methods use TookPS, a PowerShell downloader that Kaspersky has tracked since March 2025, when it loaded fake DeepSeek pages, then fake corporate download sites. It SSHs in, calls the attacker-controlled server, forwards the local SSH daemon port, and waits. Later, the default SSH bot connects back to the tunnel.

The bot installs a box on the installed AV, then drags wallet files, cookies, browser profiles, and information out of the tunnel. Silences Defender notifications with registry entries and creates a desktop:

  1. Opens the incoming RDP firewall
  2. Add the account to the Remote Desktop users group
  3. Replaces termsrv.dll with a pooled structure that allows simultaneous RDP sessions
  4. Registers a scheduled function that is called Apple Sync which rebuilds the reverse SSH tunnel for the local RDP port every hour

Modules arrive via SFTP after that. A full VMProtect launcher called HDUtil runs them and can silently remove them by using the Windows RPC UAC bypass written by Project Zero in 2019.

The final delivery is Volume2, an open source utility that manages malicious protobuf.dll which removes the encryption and starts the real payment: the plugin dispatcher polls its C2 every 20 seconds. Kaspersky found five plugins. Another process injection, and that’s what puts SeedHunter in place.

The rest of the kit is surveillance. OkoSpyware monitors 100-plus utilities, Exodus, and 1Password among them. It records the same window to MP4 with integrated FFmpeg and embeds keystrokes in it.

Browser headers are matched with regex, so a MetaMask or Tonkeeper tab is recorded. MC Keylogger includes input, clipboard, USB devices, and takes a screenshot every five minutes. The loader installs hidden Chromium extensions with all permissions granted; Rilide, a Chromium hacker used by Russian-speaking horror actors since April 2023, is what he has installed.

Whose Draft?

Kaspersky will not name the actor: “We cannot identify this malicious campaign to any known crimeware actor.” First-class PowerShell hosts return an empty response to Russian and CIS IPs. Rilide moves forward to invitation-only Russian-speaking sites.

SeedHunter’s phishing pages have Russian comments. Those are mild symptoms, and the report treats them as such.

There is no wallet CVE and no vendor patch that closes this loophole. It lives in the last place instead, and the artifacts are clear enough to hunt:

  • A planned activity named Apple Sync
  • %PROGRAMDATA%hwid.dat, %PROGRAMDATA%HDVideoHDUtil.exe, %USERPROFILE%.sshgo.bat
  • termsrv.dll changed in its ship formation
  • Unauthorized Remote Desktop User Accounts
  • Outbound SSH from user endpoints
  • Extensions to Local Extension Settings that do not appear in the browser extension list

Kaspersky’s post contains C2 hashes and domains. Vendors draw the line at the device. Ledger says the name doesn’t go anywhere but Ledger himself.

Trezor Suite says it will never ask you to type your backup, although the Model One’s standard restore takes names from the Suite, and only if the device asks. The page that appears because you have connected, with nothing on the device screen behind it, is what it says.

After that the rebuild is March 2026. TeviRAT is no more. The HDUtil to exptl to Rilide chain is gone, it’s been rolled into a single dispatcher plugin that does the same job. Volume2 is out now direct from TookPS. No one prunes the codebase they’re about to leave.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button