Kaspersky Uncovers One of Most Dangerous Crypto-Stealing Bots for Wallet Owners
Experts from Kaspersky’s Global Research and Analysis Team (GReAT) warn that hundreds of users across 25 countries are at risk of having their assets stolen as the dangerous OkoBot malware framework targeting cryptocurrency owners entered an active phase.
Hackers have completely revised their tactics and are now targeting people who believed they were fully protected, analysts note in a new report.
The malware steals funds by intercepting the functions of the official Ledger Live, Ledger Wallet, and Trezor Suite applications and displaying a fake verification window. To avoid falling for this trick, users are advised to strictly follow three key security rules:
- Never enter a seed phrase using a PC keyboard
- Do not execute third-party scripts from the internet
- Check the system for hidden RDP access
In this campaign, attackers are deliberately targeting IT specialists and software developers. The initial compromise occurs when hackers disguise malware as popular work tools and distribute infected software through GitHub.

In particular, researchers have already discovered the malware inside a fake Microsoft SQL Server Management Studio (SSMS) installer.
At the same time, attackers are using sophisticated ClickFix attacks, a social engineering technique in which users are persuaded to copy and run malicious code in a terminal under the pretext of fixing an unexpected browser error.
What comes next: analysts’ forecasts
According to Kaspersky GReAT, since the malware uses a modular structure consisting of more than 20 components, including the Rilide infostealer and the OkoSpyware surveillance module, the geographical reach of the attacks is expected to expand beyond the countries currently reporting the highest number of infections, led by Brazil, Vietnam, Canada, Mexico, and Turkey.
New hidden extensions for Chromium-based browsers, including Chrome and Edge, are also expected to emerge. The malware can completely remove these extensions from the visible list of installed add-ons, leaving users unaware of their presence.
The final stage may involve the large-scale sale of access to victims’ computers. After establishing persistence in a system, OkoBot secretly creates a new administrator account and opens a permanent SSH tunnel for remote control through RDP.
