OkoBot Windows malware framework with SeedHunter wallet phrase theft
Malware Activity
Summary
Hide ▲
Show ▼
The OkoBot malware framework is actively running on Windows and using SeedHunter to steal hardware wallet recovery phrases, putting wallet owners and endpoint data at risk. The framework has been active since April 2025 and was still operating as of the July 15 analysis. Telemetry tied to the malware shows hundreds of victims across 25+ countries, with the largest share in Brazil, Vietnam, Canada, Mexico, and Türkiye. OkoBot also carries additional payloads that steal credentials, wallet files, browser profiles, cookies, and other data.
Related Happenings
OkoBot hardware-wallet phrase theft campaign
Campaign
H score37
First: 15.07.2026 18:30
Last: 15.07.2026 18:30
Sources 1
How related:
Kaspersky's GReAT team published the teardown on Wednesday, counting hundreds of victims in its telemetry across more than 25 countries.
About this happening:
An active **OkoBot** campaign is driving **hundreds of victimizations across more than 25 countries**, showing broad coordinated malware activity. The operation uses overlapping d...
OkoBot hardware-wallet phrase theft campaign
CampaignHow related: Kaspersky's GReAT team published the teardown on Wednesday, counting hundreds of victims in its telemetry across more than 25 countries.
About this happening: An active **OkoBot** campaign is driving **hundreds of victimizations across more than 25 countries**, showing broad coordinated malware activity. The operation uses overlapping d...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
FakeWallet crypto wallet phishing campaign targeting users in China
Campaign
H score14
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
FakeWallet crypto wallet phishing campaign targeting users in China
CampaignAbout this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
Latest development: 24.04.2026 14:48
Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.
Timeline
-
15.07.2026 18:30 2 articles · 1h ago
OkoBot SeedHunter steals hardware wallet recovery phrases on Windows
Initial DisclosureKaspersky's GReAT team detailed OkoBot on Windows, describing SeedHunter as a module that injects fake recovery-phrase pages into Trezor Suite, Ledger Wallet, and Ledger Live to steal hardware wallet recovery phrases. Telemetry tied to the malware shows hundreds of victims across more than 25 countries, with the largest share in Brazil, Vietnam, Canada, Mexico, and Türkiye, and the framework remained active as of July 15, 2026.
Show sources
- OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps — thehackernews.com — 15.07.2026 18:30
- OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps — thehackernews.com — 15.07.2026 18:30