A newly documented malware framework called OkoBot is targeting cryptocurrency holders and credential data through a sprawling toolkit of more than 20 payloads, according to researchers at Kaspersky. The campaign has been running for over a year and represents an evolution of an earlier PowerShell-based operation known as TookPS.

Victims are lured through ClickFix-style social engineering attacks and malicious GitHub repositories disguised as legitimate software. In one documented case, a repo claiming to offer SQL Server Management Studio instead delivered a trojanized build of the Audacity audio editor.

Multi-Stage Infection Chain

Unlike the original TookPS activity, OkoBot uses a completely restructured, multi-stage infection chain. TookPS now serves only as the initial-access stage, installing and configuring an SSH bot that fetches the rest of the malicious components. That SSH bot collects system details such as username, installed antivirus, IP address, and OS version, disables Windows Defender notifications, and harvests cryptocurrency wallet files, browser cookies, and stored credentials.

Notable Payload Modules

  • ext daemon/extl.exe: Injects into Chrome to silently install the Rilide malicious extension, which targets credentials, cookies, and financial and crypto data.
  • SeedHunter: Injects into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake seed-recovery prompt that tricks victims into entering their wallet recovery phrase.
  • MC Keylogger: Captures keystrokes, clipboard content, images, and file paths, monitors USB activity, and takes screenshots every five minutes.
  • OkoSpyware: Monitors around 100 applications, including crypto wallets and password managers, using FFmpeg to record video of their windows alongside keystroke logging.

Kaspersky notes that a stolen wallet recovery phrase gives attackers complete, unrecoverable control over a victim’s cryptocurrency holdings.

Geographic Footprint and Attribution Clues

Telemetry shows most victims are in Brazil, followed by Vietnam, Canada, Mexico, and Turkey, though the campaign has global reach. OkoBot activity was first spotted in January as an offshoot of the TookPS campaign, which has been active since March 2025.

Kaspersky has not attributed OkoBot to a specific threat actor, but noted that servers hosting the initial PowerShell stage are geoblocked, returning empty responses to IP addresses from Russia or the CIS region. Russian-language comments in the SeedHunter source code and the use of an infostealer promoted on invitation-only Russian cybercrime forums further suggest a Russian-speaking operator.

Kaspersky’s report includes indicators of compromise covering plugin hashes, injector payloads, SSH bot utilities, file paths, domains, and IP addresses for defenders to use in detection.