Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps: A Growing Concern for Cybersecurity



A new malicious framework known as OkoBot has been discovered that injects seed phrase phishing into Ledger and Trezor apps, posing a significant risk to hardware wallet users. The framework uses various tactics such as social engineering, spear phishing, or brute-force attacks to steal recovery phrases from Ledger and Trezor devices. Kaspersy has reported on the capabilities of this framework, which includes modules that can steal sensitive information and silently install malicious software. Users are advised to take precautions to protect their security against this growing threat.

  • The OkoBot malware framework has been detected on Windows machines since April 2025, targeting Ledger and Trezor hardware wallet owners.
  • The framework consists of two main modules: SeedHunter and TookPS, which work together to steal recovery phrases and sensitive information.
  • The malware also includes a module called HDUtil, which can elevate other modules silently through a Windows RPC UAC bypass.
  • The OkoBot framework is considered a supply chain attack due to its reliance on compromised software repositories.
  • It has affected hundreds of machines across 25 countries, with Brazil, Vietnam, Canada, Mexico, and Türkiye being the most impacted.
  • The malware can also steal sensitive information such as login credentials, clipboard data, USB device data, and screenshots.
  • Kaspersy was unable to attribute this malicious campaign to any known crimeware actor, raising concerns about potential state-sponsored involvement.



  • THN has reported on a growing concern in the cybersecurity space, specifically regarding a malware framework known as OkoBot that has been running on Windows machines since April 2025. This malicious framework is built to con hardware wallet owners out of their recovery phrase. The OkoBot malware framework has two main modules: SeedHunter and TookPS.

    The SeedHunter module steels the phrase using various tactics such as social engineering, spear phishing, or even brute-force attacks on Ledger and Trezor apps. Once infected, it watches for a USB device with specific vendor ID, then waits until a real Ledger or Trezor is plugged in before drawing a hard-coded recovery page that requests the user's seed phrase. The type of malware used here will remain hidden behind an @:app:print marker and is stored as JSON with an RC4 copy dropped into a temp file.

    The SeedHunter module relies on a phishing page carried by a malicious module called TookPS, which was used to infect machines since March 2025. This malware carries more than 20 payloads and implants and remains active even in July 2026. The modules work together seamlessly with the help of other modules, including the Volume2 utility that comes straight from TookPS.

    The OkoBot malware framework also consists of a module called HDUtil, which is an executable file that can elevate other modules silently through a Windows RPC UAC bypass documented by Project Zero in 2019. This allows the framework to execute malicious payloads undetected and silently on systems where it is installed.

    Kaspersky has documented the OkoBot malware framework's capabilities in a detailed report, which highlights its ability to steal wallet recovery phrases from Ledger and Trezor users. The Kaspersy report also reveals that OkoBot was used to infect hundreds of machines across 25 countries. Brazil, Vietnam, Canada, Mexico, and Türkiye have been affected the most by this malware framework.

    The OkoBot malware framework is considered a supply chain attack due to its reliance on compromised software repositories. According to Kaspersy's report, the malware framework relies on malicious software from GitHub that was shipped as an Audacity audio editor, rebuilt with a malicious implant inside one of its libraries. This was used to infect machines since late March 2025 and continued until June.

    The malware framework also features modules called Rilide and MC Keylogger that are designed to steal sensitive information such as login credentials, clipboard data, USB device data, and even screenshots. The malware framework also includes the ability to silently install Chromium extensions with every permission granted. This allows it to gather and use sensitive information about its victims.

    In a surprising twist, Kaspersy has reported that they were unable to attribute this malicious campaign to any known crimeware actor. Instead, the servers hosting the first-stage PowerShell return an empty response to Russian and CIS IPs, indicating that Rilide moves on invitation-only Russian-speaking forums. This raises concerns about the potential involvement of state-sponsored actors in the creation and distribution of malware.

    The OkoBot malware framework is considered a significant threat to users of Ledger and Trezor hardware wallets. The framework's ability to steal recovery phrases and sensitive information poses a significant risk to the security of these devices. Users are advised to take precautions such as keeping their software up-to-date, being cautious when using phishing emails or messages, and avoiding suspicious links or attachments.

    In conclusion, the OkoBot malware framework is a growing concern for cybersecurity professionals due to its ability to steal sensitive information from Ledger and Trezor users. The framework's use of compromised software repositories and its reliance on stolen recovery phrases make it a significant threat to the security of these devices.


    A new malicious framework known as OkoBot has been discovered that injects seed phrase phishing into Ledger and Trezor apps, posing a significant risk to hardware wallet users. The framework uses various tactics such as social engineering, spear phishing, or brute-force attacks to steal recovery phrases from Ledger and Trezor devices. Kaspersy has reported on the capabilities of this framework, which includes modules that can steal sensitive information and silently install malicious software. Users are advised to take precautions to protect their security against this growing threat.




    Related Information:
  • https://www.ethicalhackingnews.com/articles/OkoBot-Malware-Framework-Injects-Seed-Phrase-Phishing-Into-Ledger-and-Trezor-Apps-A-Growing-Concern-for-Cybersecurity-ehn.shtml

  • https://thehackernews.com/2026/07/okobot-malware-framework-injects-seed.html


  • Published: Wed Jul 15 12:31:07 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us