Close Menu
    What's Hot

    As The Fed Reduces Forward Guidance, Markets Are Going Blind (SP500)

    The U.K. is taking aim at one nightly ritual millions of teens have

    Opinion | How Worried Should You Be About Cyclospora?

    Facebook X (Twitter) Instagram
    Trending
    • As The Fed Reduces Forward Guidance, Markets Are Going Blind (SP500)
    • The U.K. is taking aim at one nightly ritual millions of teens have
    • Opinion | How Worried Should You Be About Cyclospora?
    • Big day for a British Overseas Territory (no, not that one)
    • House G.O.P. Releases Budget to Unlock $95 Billion for Iran War and SAVE Act
    • Scottish independents should back England, needles conservative leader
    • Ukraine’s Drone Strikes on Russia May Not Be Enough to Retake Territory
    • U.S. Strikes Hit Greater Tunb Island in Strait of Hormuz
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

    adminBy adminJuly 15, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps
    Share
    Facebook Twitter LinkedIn Pinterest Email

    OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

    A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase.

    On an infected PC, the request comes from inside the wallet’s own desktop software. Sometimes it waits until you plug the device in first. The page is malicious. The app around it is the real one you installed, and the phrase is the wallet.

    Kaspersky’s GReAT team published the teardown on Wednesday, counting hundreds of victims in its telemetry across more than 25 countries. The largest share of attacked users is in Brazil, Vietnam, Canada, Mexico, and Türkiye.

    How many of them typed a phrase in, the report does not say. OkoBot carries more than 20 payloads and implants and was still active as of the July 15 report.

    SeedHunter Waits for the Device

    SeedHunter is the OkoBot module that steals the phrase. Once the framework lands, it watches for Trezor Suite, Ledger Wallet, and Ledger Live, injects into whichever it finds, and hooks the app’s Electron internals. Then it asks its C2 at moonsand[.]store.

    Cybersecurity

    If the server sets a Wait flag, SeedHunter scans USB by vendor and product ID and sits still until a real Ledger or Trezor is plugged in. Only then does it draw a hard-coded recovery page, one layout per brand. With the flag off, the page appears immediately. The typed phrase goes to the page’s own console behind an @:app:print marker, and the hooked mal_LogConsoleMessage picks it up. It leaves as JSON, with an RC4 copy dropped in a temp file.

    The hardware wallet is not what gets broken. It does the one thing it was built for, which is to refuse to give up the key, and it cannot stop its companion software from asking you for the phrase instead.

    Neither half of the trick is new. Moonlock Lab tracked macOS stealers doing the swap version, and THN covered those cloned Ledger Live apps: AMOS killed Ledger Live and dropped a trojanized clone in /Applications demanding the 24 words.

    GlassWorm did the USB trigger on Windows in March, using WMI to spot a device going in, then throwing its own window up after killing the real app. What SeedHunter changes is where the page gets drawn. It leaves the app running and draws inside it.

    The SSMS That Was Actually Audacity

    Two main ways in: a ClickFix lure, and trojanized software on GitHub. The repo Kaspersky pulled apart advertised SQL Server Management Studio. What it shipped was Audacity, the audio editor, rebuilt with a malicious implant inside one of its libraries. It ranked top for SSMS. It lived from late March 2025 to June.

    Both paths execute TookPS, a PowerShell downloader Kaspersky has tracked since March 2025, when it rode fake DeepSeek pages, then fake business-software download sites. It installs SSH, dials an attacker-controlled server, forwards the local SSH daemon port, and waits. Later, an automated SSH bot connects back through the tunnel.

    The bot inventories the box down to the installed AV, then drags wallet files, cookies, browser profiles, and credentials out through the tunnel. It silences Defender notifications with a registry write and builds itself a desk:

    1. Opens the firewall for inbound RDP
    2. Adds an account to the Remote Desktop Users group
    3. Replaces termsrv.dll with a patched build that permits concurrent RDP sessions
    4. Registers a scheduled task called Apple Sync that rebuilds a reverse SSH tunnel for the local RDP port every hour

    Modules arrive over SFTP after that. A VMProtect-packed launcher called HDUtil runs them and can elevate them silently through a Windows RPC UAC bypass that Project Zero documented in 2019.

    The last delivery is Volume2, an open-source utility carrying a malicious protobuf.dll that decrypts and starts the real payload: a plugin dispatcher polling its C2 every 20 seconds. Kaspersky recovered five plugins. One is a process injector, and that is what puts SeedHunter in place.

    The rest of the kit is surveillance. OkoSpyware watches for 100-plus executables, Exodus, and 1Password among them. It films the matching window to MP4 with a bundled FFmpeg and logs keystrokes into it.

    Browser titles get regex-matched, so a MetaMask or Tonkeeper tab gets recorded. MC Keylogger covers input, clipboard, USB devices, and takes a screenshot every five minutes. A loader installs hidden Chromium extensions with every permission granted; Rilide, a Chromium stealer used by Russian-speaking threat actors since April 2023, is what it installed.

    Whose Framework Is It?

    Kaspersky will not name an actor: “we can’t attribute this malicious campaign to any known crimeware actor.” The servers hosting the first-stage PowerShell return an empty response to Russian and CIS IPs. Rilide moves on invitation-only Russian-speaking forums.

    The SeedHunter phishing pages carry Russian comments. Those are soft signals, and the report treats them as such.

    Cybersecurity

    There is no wallet CVE and no vendor patch that closes this route. It lands on the endpoint instead, and the artifacts are specific enough to hunt:

    • A scheduled task named Apple Sync
    • %PROGRAMDATA%\hwid.dat, %PROGRAMDATA%\HDVideo\HDUtil.exe, %USERPROFILE%\.ssh\go.bat
    • termsrv.dll altered from its shipped build
    • Accounts in Remote Desktop Users that nobody added
    • Outbound SSH from user endpoints
    • Extensions in Local Extension Settings that never appear in the browser’s extension list

    Kaspersky’s post has the hashes and C2 domains. The vendors draw the line at the device. Ledger says the phrase never goes anywhere but the Ledger itself.

    Trezor Suite says it will never ask you to type your backup, though a Model One’s standard recovery does take the words in Suite, and only when the device asks. A page that appears because you plugged in, with nothing on the device screen behind it, is the tell.

    Then the March 2026 rebuild. TeviRAT is gone. The HDUtil to extl to Rilide chain is gone, folded into a single dispatcher plugin that does the same job. Volume2 now comes straight from TookPS. Nobody prunes a codebase they are about to walk away from.

    apps Framework Injects Ledger Malware OkoBot Phishing Phrase seed Trezor
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleJay Clayton Faces Tough Questions in Hearing Over 2020 Election
    Next Article Thinking Machines Lab Drops Its First Model
    admin
    • Website

    Related Posts

    SASE Has An AI Blind Spot. Inspecting Packets Is No Longer Enough.

    July 15, 2026

    Firefox, Chrome, Adobe, and VMware Updates Fix Multiple Critical Security Flaws

    July 15, 2026

    Cursor Flaw Lets Malicious Cloned Repositories Trigger Windows Code Execution

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    As The Fed Reduces Forward Guidance, Markets Are Going Blind (SP500)

    The U.K. is taking aim at one nightly ritual millions of teens have

    Opinion | How Worried Should You Be About Cyclospora?

    Big day for a British Overseas Territory (no, not that one)

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by