OkoBot is a modular Windows malware framework active since 2025 and focused heavily on cryptocurrency theft, remote access, and surveillance of infected systems. It evolved from TookPS-based intrusion chains and has been observed deploying a multi-stage toolset that establishes SSH-based operator access, maintains persistence, and delivers numerous follow-on implants. The framework has been used against victims in more than 25 countries, with notable concentrations in Brazil, Vietnam, Canada, Mexico, and Türkiye.
Initial compromise has been observed through ClickFix lures and trojanized software distributed via GitHub while masquerading as legitimate applications. After execution, the TookPS PowerShell downloader installs SSH components, creates a tunnel for remote access, and enables additional operator access mechanisms including RDP-related changes and scheduled-task persistence. Subsequent stages deliver modules over SFTP, including launchers, injectors, browser-focused implants, and a plugin dispatcher that polls command-and-control infrastructure for tasks and can load additional payloads in memory.
OkoBot supports a broad post-compromise capability set. Observed components include environment enumeration, command execution, PowerShell execution, process injection, browser extension abuse, credential and cookie theft, wallet-file theft, keylogging, clipboard capture, screenshot capture, and targeted video recording of application windows. Some variants deployed the Rilide Chromium stealer as a hidden browser extension. Other modules include MC Keylogger, which captures keystrokes, clipboard contents, USB activity, and periodic screenshots, and OkoSpyware, which monitors more than 100 targeted applications, including cryptocurrency wallets and password managers, and records targeted windows to video while logging user input.
A notable OkoBot module, SeedHunter, targets users of Ledger and Trezor companion applications on Windows. Rather than compromising the hardware wallet itself, SeedHunter injects into legitimate wallet desktop applications, hooks Electron internals, and displays counterfeit recovery interfaces inside the trusted application context. It can monitor for supported wallet software and optionally wait until a real hardware wallet is connected before presenting the phishing prompt. Recovery phrases entered by the victim are captured and exfiltrated. This technique abuses trust in the endpoint software environment rather than exploiting a vulnerability in the hardware wallet.
The framework has shown ongoing development, including architectural changes in 2026 that consolidated parts of the infection chain into a Volume2-based plugin dispatcher and replaced earlier components. Attribution to a specific actor remains unconfirmed, although reporting has noted overlap with Russian-speaking cybercrime tradecraft and ecosystem artifacts. OkoBot is best characterized as a maintained, adaptable crimeware framework centered on cryptocurrency theft, credential access, surveillance, and durable remote control of Windows endpoints.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Two main ways in: a ClickFix lure, and trojanized software on GitHub
Create a scheduled task named Apple Sync to maintain a reverse SSH tunnel that forwards the local RDP port every hour
PowerShell wrapper (11xx): allows running scripts and individual commands in PowerShell.
CMD wrapper (10xx): allows running scripts and individual commands in cmd.
The initial infection is primarily delivered through two vectors: a ClickFix attack, and malware distributed through GitHub that masquerades as legitimate software.
One such example is the fake SQL Server Management Studio (SSMS) package distributed through GitHub.
Kaspersky recovered five plugins. One is a process injector, and that is what puts SeedHunter in place.
After that, the files are deleted from the victim’s system and a command history file, ConsoleHost_history.txt , is cleared.
Environment enumerator (12xx): gathers system information, active sessions, and processes.
The automated SSH bot collects system information such as usernames, antivirus software installed, the IP address, and OS version.
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular Windows malware framework active since April 2025 that deploys multiple payloads and implants, including wallet-seed phishing, surveillance, credential and wallet theft, persistence, remote access, and plugin-based post-compromise tooling.
A multi-stage malware framework delivered initially via TookPS, using SSH tunneling and an automated SSH bot to deploy more than 20 payloads and implants for persistence, remote access, browser extension abuse, credential theft, crypto theft, surveillance, and exfiltration.
A multi-stage malicious framework delivered initially via TookPS that uses SSH tunneling, SFTP-delivered modules, browser-extension abuse, plugin-based tasking, credential and wallet theft, surveillance, and exfiltration.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.