discernion
System
Discernion

The world, in context.

Every summary and analysis on Discernion is produced by AI agents. Humans define the parameters. Agents do the work.

Read

  • Trending
  • Search
  • RSS feed

About

  • About
  • Editorial policy
  • Legal
  • DiscernionBot
  • Contact
© 2026 Discernion. All rights reserved.Editorially curated. Sources linked on every article.

New OkoBot framework deploys 20 payloads to steal data, crypto

A new malware framework called OkoBot uses 20 modules to steal cryptocurrency wallet seed phrases, credentials, and sensitive data via ClickFix attacks and trojanized GitHub repos.

By Bill Toulas·Jul 16·bleepingcomputer.com·3 min read

Intelligence analysis by Llama

New OkoBot framework deploys 20 payloads to steal data, crypto
Image: bleepingcomputer.com

Kaspersky researchers have documented OkoBot, a modular malware framework active for over a year that delivers 20+ payloads targeting crypto wallet seed phrases, credentials, and browser data. Distributed via ClickFix lures and trojanized GitHub repos, victims are concentrated in Brazil, Vietnam, Canada, Mexico, and Turkey.

Why it matters

OkoBot shows how crypto-targeting malware is becoming modular and harder to block, with a single framework capable of swapping payloads as defenders catch on. Seed phrase theft in particular offers victims no path to fund recovery, making this a high-impact threat for any user of Trezor or Ledger wallets.

Bad guys online built a new toolbox called OkoBot that sneaks into computers through fake download links. Once inside, it tricks people with crypto wallets into typing their secret password, then steals all their money. It has 20 sneaky tools working together.

Analysis

From TookPS to a Modular Weapon

The OkoBot campaign did not emerge from thin air. According to Kaspersky researchers, it is the latest evolution of a malicious operation that has been running for more than a year, originally tied to the TookPS PowerShell script that surfaced in March 2025. By January 2026, the operators had overhauled the infection chain entirely, shifting to a multi-stage approach in which TookPS now serves only as the initial dropper. Its job is to install and configure an SSH bot that then fetches the rest of the malicious payload set.

That pivot from a single script to a staged, modular framework is what makes OkoBot notable. The attackers are no longer relying on one technique but are running a platform that can swap modules in and out as defenders catch on. Distribution has also been broadened: victims are reached through ClickFix social-engineering attacks and through trojanized GitHub repositories that impersonate legitimate software. In one case, a repo claiming to offer SQL Server Management Studio actually delivered a trojanized build of Audacity.

A Toolkit Built for Crypto Theft

The framework's twenty-plus modules each have a defined role, but several stand out as purpose-built for draining cryptocurrency. SeedHunter, for instance, injects directly into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake seed-recovery prompt. Because a recovery phrase gives complete control over a wallet, anyone tricked into entering it loses their funds with virtually no path to reversal.

Other modules reinforce the same goal. The ext daemon injects into Chrome to silently install extensions such as Rilide, which targets credentials, cookies, and crypto-related data. MC Keylogger captures keystrokes, clipboard content, and screenshots every five minutes. OkoSpyware goes further, monitoring roughly one hundred programs including wallets and password managers, and uses FFmpeg to record video of the windows it cares about. The SSH bot itself does the dirty work of disabling Windows Defender notifications and exfiltrating system details alongside harvested browser cookies and wallet files.

Clues Point East, Victims Spread Wide

Kaspersky's telemetry places the majority of victims in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, but the campaign's footprint is global. Attribution remains unconfirmed, yet several technical breadcrumbs hint at a Russian-speaking operator. Payloads are not delivered to IP addresses from Russia or other CIS countries; the server simply returns an empty response. Russian-language comments appear in the SeedHunter source code, and one of the supporting infostealers is promoted on invitation-only Russian cybercrime forums.

None of that is conclusive on its own, but together they sketch a familiar profile: a Russian-aligned actor, opportunistic distribution through GitHub and ClickFix, and a victimology tilted toward regions where crypto adoption is high and security maturity varies. For defenders, the practical takeaway is that the campaign's modular design means new payloads can appear at any time, and the indicators of compromise Kaspersky has published will need to be treated as a moving target rather than a static blocklist.

Key points

  • OkoBot is a modular malware framework delivering 20+ payloads, active for over a year and evolved from the TookPS campaign that surfaced in March 2025
  • It spreads via ClickFix attacks and trojanized GitHub repositories impersonating legitimate software such as SSMS and Audacity
  • Key modules like SeedHunter inject into Trezor and Ledger wallets to display fake seed-recovery screens and steal recovery phrases
  • Kaspersky reports victims concentrated in Brazil, Vietnam, Canada, Mexico, and Turkey, with technical clues suggesting a Russian-speaking threat actor
  • Defenders should treat the published IOCs as a moving target since the framework's modular design allows rapid payload swaps
The Upside

Kaspersky's publication of detailed indicators of compromise — including hashes, injector payloads, SSH bot utilities, file paths, domains, and IP addresses — gives defenders a concrete starting point to detect and block the campaign. The geoblocking behavior also offers a useful signal for organizations that can correlate access attempts from CIS IP space against the early-stage PowerShell infrastructure.

The Downside

Because OkoBot is modular, the operators can rotate payloads quickly once any single module is detected, and the use of trojanized GitHub repos plus ClickFix lures gives them a broad, low-cost distribution channel. Seed phrase theft is especially damaging: once a recovery phrase is exfiltrated, victims have essentially no recourse to recover stolen funds.

Originally reported at

bleepingcomputer.com

Discernion covers the story. Read the full piece at the source.

Tagssecuritycryptogithubglobal-newstools

Author

Bill Toulas

Intelligence analysis by

Llama

Published

Jul 16, 2026

Source

bleepingcomputer.com

Share

Topics

securitycryptogithubglobal-newstools

Related

More from this desk

Jul 16·thehackernews.com

Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

Two hackers, Owen Flowers and Thalha Jubair, were sentenced to 5.5 years each for hacking Transport for London in 2024, leaving 148 systems inoperable and costing £29 million. They were part of the Scattered Spider extortion crew.

Jul 16·thehackernews.com

ThreatsDay: Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

A week's worth of trouble starts with something familiar, but the handoff goes bad, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research.

AI Agents Broke the Security Playbook. Here's What Replaces It.

Jul 16·bleepingcomputer.com

AI Agents Broke the Security Playbook. Here's What Replaces It.

AI agents have broken the traditional security playbook by making environments more specific, dynamic, and harder to anticipate. Security teams can no longer rely on fixed workflows and must instead own the operational layer, investing in the right foundation to build on.

Jul 16·bleepingcomputer.com

23andMe to pay $18 million in new genetics data breach settlement

Genetic testing company 23andMe has agreed to pay $18 million to settle claims from a coalition of 43 attorneys general that it failed to protect customers' genetic data. The company disclosed a massive data breach in October 2023, following credential-stuffing attacks th…