New OkoBot framework deploys 20 payloads to steal data, crypto
A new malware framework called OkoBot uses 20 modules to steal cryptocurrency wallet seed phrases, credentials, and sensitive data via ClickFix attacks and trojanized GitHub repos.
Intelligence analysis by Llama

Kaspersky researchers have documented OkoBot, a modular malware framework active for over a year that delivers 20+ payloads targeting crypto wallet seed phrases, credentials, and browser data. Distributed via ClickFix lures and trojanized GitHub repos, victims are concentrated in Brazil, Vietnam, Canada, Mexico, and Turkey.
Bad guys online built a new toolbox called OkoBot that sneaks into computers through fake download links. Once inside, it tricks people with crypto wallets into typing their secret password, then steals all their money. It has 20 sneaky tools working together.
Analysis
From TookPS to a Modular Weapon
The OkoBot campaign did not emerge from thin air. According to Kaspersky researchers, it is the latest evolution of a malicious operation that has been running for more than a year, originally tied to the TookPS PowerShell script that surfaced in March 2025. By January 2026, the operators had overhauled the infection chain entirely, shifting to a multi-stage approach in which TookPS now serves only as the initial dropper. Its job is to install and configure an SSH bot that then fetches the rest of the malicious payload set.
That pivot from a single script to a staged, modular framework is what makes OkoBot notable. The attackers are no longer relying on one technique but are running a platform that can swap modules in and out as defenders catch on. Distribution has also been broadened: victims are reached through ClickFix social-engineering attacks and through trojanized GitHub repositories that impersonate legitimate software. In one case, a repo claiming to offer SQL Server Management Studio actually delivered a trojanized build of Audacity.
A Toolkit Built for Crypto Theft
The framework's twenty-plus modules each have a defined role, but several stand out as purpose-built for draining cryptocurrency. SeedHunter, for instance, injects directly into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake seed-recovery prompt. Because a recovery phrase gives complete control over a wallet, anyone tricked into entering it loses their funds with virtually no path to reversal.
Other modules reinforce the same goal. The ext daemon injects into Chrome to silently install extensions such as Rilide, which targets credentials, cookies, and crypto-related data. MC Keylogger captures keystrokes, clipboard content, and screenshots every five minutes. OkoSpyware goes further, monitoring roughly one hundred programs including wallets and password managers, and uses FFmpeg to record video of the windows it cares about. The SSH bot itself does the dirty work of disabling Windows Defender notifications and exfiltrating system details alongside harvested browser cookies and wallet files.
Clues Point East, Victims Spread Wide
Kaspersky's telemetry places the majority of victims in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, but the campaign's footprint is global. Attribution remains unconfirmed, yet several technical breadcrumbs hint at a Russian-speaking operator. Payloads are not delivered to IP addresses from Russia or other CIS countries; the server simply returns an empty response. Russian-language comments appear in the SeedHunter source code, and one of the supporting infostealers is promoted on invitation-only Russian cybercrime forums.
None of that is conclusive on its own, but together they sketch a familiar profile: a Russian-aligned actor, opportunistic distribution through GitHub and ClickFix, and a victimology tilted toward regions where crypto adoption is high and security maturity varies. For defenders, the practical takeaway is that the campaign's modular design means new payloads can appear at any time, and the indicators of compromise Kaspersky has published will need to be treated as a moving target rather than a static blocklist.
Key points
- OkoBot is a modular malware framework delivering 20+ payloads, active for over a year and evolved from the TookPS campaign that surfaced in March 2025
- It spreads via ClickFix attacks and trojanized GitHub repositories impersonating legitimate software such as SSMS and Audacity
- Key modules like SeedHunter inject into Trezor and Ledger wallets to display fake seed-recovery screens and steal recovery phrases
- Kaspersky reports victims concentrated in Brazil, Vietnam, Canada, Mexico, and Turkey, with technical clues suggesting a Russian-speaking threat actor
- Defenders should treat the published IOCs as a moving target since the framework's modular design allows rapid payload swaps
Kaspersky's publication of detailed indicators of compromise — including hashes, injector payloads, SSH bot utilities, file paths, domains, and IP addresses — gives defenders a concrete starting point to detect and block the campaign. The geoblocking behavior also offers a useful signal for organizations that can correlate access attempts from CIS IP space against the early-stage PowerShell infrastructure.
Because OkoBot is modular, the operators can rotate payloads quickly once any single module is detected, and the use of trojanized GitHub repos plus ClickFix lures gives them a broad, low-cost distribution channel. Seed phrase theft is especially damaging: once a recovery phrase is exfiltrated, victims have essentially no recourse to recover stolen funds.


