OkoBot: New Sophisticated Malware Framework Targets Cryptocurrency
Kaspersky GReAT dissects OkoBot, a multi-stage framework using SSH tunnels and over 20 payloads to steal cryptocurrency wallet seed phrases, browser data, and credentials.

Executive Summary
Kaspersky's Global Research and Analysis Team (GReAT) has identified a sophisticated new malware framework dubbed OkoBot that is actively targeting cryptocurrency users. First observed in January 2026, the framework orchestrates over 20 distinct malicious payloads and implants through an SSH tunnel, enabling attackers to steal cryptocurrency wallet seed phrases, browser credentials, and sensitive files. The campaign remains active as of July 2026, with initial infection vectors including ClickFix attacks and trojanized software packages on GitHub.
Technical Analysis
According to Kaspersky researcher Yaroslav Kikel, OkoBot represents a significant evolution from earlier TookPS-based campaigns first spotted in March 2025. The framework's infection chain consists of four tightly coupled stages, beginning with the execution of the malicious PowerShell script TookPS, which installs an SSH client on the victim's machine and establishes a persistent reverse tunnel to an attacker-controlled server.
Initial Infection Vectors
Attackers rely on two primary delivery mechanisms:
- ClickFix attacks: Social engineering prompts that trick users into running malicious PowerShell commands.
- Trojanized GitHub repositories: A fake SQL Server Management Studio (SSMS) package distributed through GitHub, which actually bundles the legitimate Audacity audio editor with a malicious implant embedded in one of its libraries. The repository existed from March to June 2025 and was indexed by search engines, appearing prominently for SSMS-related queries.
Back Connection and System Reconnaissance
Once TookPS executes, an automated SSH bot connects to the forwarded port and performs extensive reconnaissance:
- Collects system information (usernames, antivirus software, IP address, OS version)
- Harvests cryptocurrency wallet files, browser cookies, profiles, and credentials
- Disables Windows Defender notifications via registry modification
- Opens firewall ports for inbound RDP traffic, creates a user in the Remote Desktop Users group, replaces legitimate
termsrv.dllwith a patched version for concurrent RDP sessions, and creates a scheduled task named "Apple Sync" to maintain the reverse SSH tunnel
Payload Delivery and Modular Architecture
The SSH bot retrieves malicious modules over SFTP. One key component is HDUtil, a launcher protected with VMProtect and heavily obfuscated. It deploys various malicious modules via the target command and implements three auxiliary commands not observed in analyzed attacks, indicating further capability.
Kaspersky identified two distinct versions of the framework. The original chain used HDUtil → extl injector → Rilide stealer. A newer version discovered in March 2026 replaced this with the ext_daemon Volume2 plugin and removed TeviRAT, likely because its functions were absorbed by the new plugins dispatcher.
Malicious Modules
The framework includes over 20 payloads covering:
- SeedHunter MC: Extracts cryptocurrency wallet seed phrases from clipboard and browser storage
- Keylogger: Captures keystrokes
- OkoSpyware: Monitors Chromium-based browsers
- Artifacts exfiltration: Collects and exfiltrates sensitive files via SSH tunnel
- Plugins dispatcher: Orchestrates module execution
- UAC bypass: Escalates privileges
Kaspersky detection names include Trojan-Downloader.Win32.TookPS., Trojan.Win64.BypassUAC., Trojan-Banker.Script.Agent.gen, and Backdoor.Win32.TeviRat.*, among others.
Mitigations & Recommendations
Defenders should monitor for anomalous SSH outbound connections from endpoints, particularly those initiated by PowerShell scripts or scheduled tasks. Organizations with cryptocurrency operations should restrict clipboard access for browser processes and implement application whitelisting to block unauthorized executables. Review GitHub-sourced software carefully, especially packages that mimic popular tools like SSMS. Kaspersky recommends enabling detection for the listed malware families and auditing scheduled tasks for suspicious entries named "Apple Sync" or similar.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
