Skip to main content

Kaspersky reveals a new malicious framework targeting cryptocurrency users with the use of OkoSpyware

July 15, 2026

The new sophisticated framework employs TookPS to exfiltrate seed phrases and uses a new OkoSpyware module to monitor Chromium-based browsers and deploy various malware strains, including the Rilide stealer. It has already targeted hundreds of victims across over 25 countries, with the highest number of affected end users recorded in Brazil, Vietnam, Canada, Mexico and Türkiye. According to Kaspersky experts, the threat remains active and primarily poses a risk to cryptocurrency users.

In January 2026, experts from the Kaspersky Global Research and Analysis Team (GReAT) identified multiple attacks involving a previously unknown malware capable of capturing the contents of cryptocurrency wallet windows. Dubbed Okobot, the new sophisticated malware framework comprises more than 20 malicious payloads and implants designed to perform a wide range of functions, including collecting local files, executing remote commands, downloading arbitrary browser extensions, stealing cryptocurrency wallets, harvesting seed phrases and credentials, recording video and carrying out other malicious activities. One of the new implants used in the campaign is a loader that modifies browser memory to load and hide malicious extensions. OkoBot also includes a new OkoSpyware module, which captures keystrokes and the video stream of a target application's window.

Currently available information does not allow the campaign to be attributed to any known crimeware actor with high confidence. However, the techniques and infostealer involved are widely used by Russian-speaking threat actors, and technical analysis has also revealed code artifacts in Russian.

The initial infection typically occurs through two main vectors: ClickFix attacks, in which threat actors use social engineering to trick users into running malicious code, and malware distributed via GitHub under the guise of legitimate software. During the investigation, researchers identified one such case involving a fake installer for SQL Server Management Studio (SSMS), a widely used Microsoft database management tool. 

The malicious framework includes SeedHunter, a malware component that monitors active system processes and injects an implant into Trezor Suite, Ledger Wallet, and Ledger Live, - official applications used to manage cryptocurrency assets. When it detects a connected Trezor or Ledger hardware wallet, it triggers the hooked functions to display a hard-coded phishing page aimed at stealing the user’s seed phrase, using a distinct layout for each wallet type.

Phishing pages for seed phrase recovery used in OkoBot campaign

Phishing pages for seed phrase recovery used in OkoBot campaign

“The OkoBot campaign has been active for more than a year and remained ongoing as of July 2026. The observed infection vectors strongly suggest that developers are among its primary targets. Of particular concern is the malware’s continued evolution, which indicates that the framework is being actively maintained. As distribution efforts persist, the campaign has the potential to reach more users and expand into additional countries in the near term,” says Dmitry Galov, Head of the Russia and CIS unit at Kaspersky Global Research and Analysis Team.

The full report is available on securelist.com.

To stay safe, Kaspersky GReAT experts recommend users:

  • Never follow instructions from unverified sources to deploy unknown code on a device, whether given directly or found in guides. Attackers often use this tactic to infect systems, which can lead to data loss and even loss of control over the device.

  • Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent an infection.

  • Manage sensitive data securely: avoid storing passwords or recovery phrases in your photo gallery or notes; instead, use a dedicated, trusted password manager such as Kaspersky Password Manager.

  • Never disable antivirus or security tools to install software and exercise caution when downloading game mods, cheats or third-party utilities.

  • Keep operating systems and applications updated, use strong, unique passwords and enable multi-factor authentication wherever possible.

 

About the Global Research & Analysis Team

Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.

Kaspersky reveals a new malicious framework targeting cryptocurrency users with the use of OkoSpyware

The new sophisticated framework employs TookPS to exfiltrate seed phrases and uses a new OkoSpyware module to monitor Chromium-based browsers and deploy various malware strains, including the Rilide stealer. It has already targeted hundreds of victims across over 25 countries, with the highest number of affected end users recorded in Brazil, Vietnam, Canada, Mexico and Türkiye. According to Kaspersky experts, the threat remains active and primarily poses a risk to cryptocurrency users.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date.

Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support.

Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.kaspersky.com.

Related Articles Press Releases