Kaspersky’s Global Research and Analysis Team (GReAT) has issued a security alert regarding the rapid spread of OkoBot, a sophisticated malware framework actively targeting cryptocurrency users across 25 countries. The warning follows an uptick in malicious attacks and accompanying advice for increased user vigilance.
Modular malware targets unsuspecting crypto holders
Kaspersky, a global leader in cybersecurity solutions, reported that hackers have adapted their techniques, now prioritizing individuals who previously considered their systems secure. OkoBot’s operators specifically focus on owners of digital assets, utilizing advanced methods to compromise their wallets.
The ongoing campaign exploits official desktop wallet applications used for cryptocurrency management—namely Ledger Live, Ledger Wallet, and Trezor Suite—by injecting a counterfeit verification prompt. This approach aims to harvest vital information and ultimately obtain unauthorized access to user funds.
Kaspersky GReAT cautions that the OkoBot malware intercepts legitimate wallet applications, triggering a fake verification window intended to steal sensitive credentials from cryptocurrency holders.
To reduce risk, experts provide three security recommendations: never type seed phrases using a PC keyboard, refrain from running third-party scripts from unidentified internet sources, and regularly check for concealed Remote Desktop Protocol (RDP) connections on personal devices.
Targeting IT professionals with deceptive installs
Attackers have shifted their focus toward IT specialists and developers, leveraging their familiarity with digital tools to trick them into downloading malware. The initial infection often occurs when hackers embed OkoBot in counterfeit versions of widely used work utilities and distribute these altered installers via platforms like GitHub.
Researchers have identified OkoBot embedded within a fraudulent Microsoft SQL Server Management Studio (SSMS) installer, highlighting the risk for professionals who may inadvertently compromise their systems.
Beyond disguised installers, a notable attack vector involves so-called ClickFix techniques. These social engineering exploits persuade users to execute malicious code in terminal windows, typically by presenting fabricated browser errors and offering code-based “fixes.”
Mini dictionary: ClickFix attacks are a form of social engineering where attackers prompt victims to execute seemingly harmless commands in their terminal or command line, under the false premise of resolving system or browser issues. These actions install malware without the victim’s knowledge.
Expanding toolkit and international reach
OkoBot employs a modular structure, containing more than 20 separate components to maximize impact. Among these are the Rilide infostealer, which exfiltrates stored information, and the OkoSpyware surveillance module, enhancing the malware’s ability to remain undetected and adapt to security measures.
Kaspersky GReAT observed the highest infection rates in Brazil, Vietnam, Canada, Mexico, and Turkey, but analysts expect OkoBot to reach a wider range of targets due to its adaptable and customizable features.
| Country | Reported OkoBot Infections |
|---|---|
| Brazil | High |
| Vietnam | High |
| Canada | High |
| Mexico | High |
| Turkey | High |
The attackers have also developed hidden browser extensions compatible with Chromium-based browsers, such as Chrome and Edge. These extensions are designed to be invisible in the list of installed add-ons, increasing the risk that users remain unaware of malicious software operating within their systems.
In the malware’s final stage, victims’ computers may be sold at scale to other cybercriminals. Persistence mechanisms include the creation of new administrator accounts and permanent Secure Shell (SSH) tunnels to maintain remote access through RDP.
The modular nature of OkoBot, coupled with its ability to hide malicious browser extensions and maintain deep system access, signals a significant escalation in targeted attacks against cryptocurrency holders and IT professionals.




