Kaspersky details OkoBot malware that injects fake wallet recovery screens to steal seed phrases

·

Kaspersky says a malware framework called OkoBot is stealing cryptocurrency wallet recovery phrases by injecting fake “wallet recovery” screens into legitimate desktop apps used with hardware wallets, after infecting Windows systems through GitHub-hosted trojanized software and ClickFix-style social-engineering lures.

The threat matters because a recovery phrase, also called a seed phrase, is effectively the master key to a crypto wallet. If a victim types real seed words into a fake prompt, an attacker can use that phrase to restore the wallet on another device and move the funds. Kaspersky said this is not a flaw in the hardware wallets themselves. Instead, the attack targets the user’s Windows computer and the desktop software used alongside the device.

Kaspersky’s Global Research and Analysis Team, or GReAT, described the campaign in a technical analysis published July 15 titled “OkoBot: new sophisticated malware framework targets cryptocurrency users.” The company said OkoBot is a multi-stage malware framework with more than 20 malicious modules and payloads designed to steal crypto wallets and other credentials.

For crypto users, the key module is one Kaspersky calls SeedHunter. According to the report, SeedHunter injects into desktop companion apps for hardware wallets, including Trezor Suite, Ledger Wallet and Ledger Live. Once inside a legitimate app process, it can display a fake recovery page that appears to come from the real software. That makes the trick harder to spot than a typical phishing website or a completely fake app, because the prompt shows up within software the victim already trusts.

Kaspersky said it observed two main ways victims were infected. One involved ClickFix-style social engineering, in which users are persuaded to run malicious code under the guise of fixing a problem or completing a task. The other involved trojanized software distributed through GitHub repositories that impersonated legitimate installers. In one example cited by Kaspersky, a repository promoted as Microsoft SQL Server Management Studio actually delivered Audacity that had been rebuilt with a malicious implant.

The campaign has affected hundreds of victims in more than 25 countries, Kaspersky said. The largest observed shares were in Brazil, Vietnam, Canada, Mexico and Türkiye. The company said the activity has been active and evolving for more than a year, with traces from March 2025 into mid-2026, and it was still active when the report was published.

Kaspersky did not tie OkoBot to a known hacking group. “At the time of writing, we can’t attribute this malicious campaign to any known crimeware actor,” the company said in its Securelist report.

In a July 15 press release, Kaspersky said the campaign’s distribution methods suggest developers and IT specialists are among the main intended targets, likely because they are more inclined to download tools from GitHub or execute commands presented in technical prompts.

The campaign is also a reminder that this is partly a software trust and supply-chain problem, not just a crypto one. The hardware wallet may remain uncompromised while the attacker manipulates what the user sees on the computer connected to it.

The practical advice is straightforward. Users should be highly suspicious of any computer prompt asking for a wallet recovery phrase, avoid unofficial installers and unknown code, and rely on the hardware wallet’s own screen as the trusted interface for sensitive actions. Standard hardware-wallet guidance still applies: users generally should not type a recovery phrase into a computer-side prompt unless they are following an official, device-specific recovery process.

Tags: #cybersecurity, #malware, #cryptocurrency, #hardwarewallets, #supplychain