216.73.216.204

OkoBot framework infection chain

· Published 15/07/2026 13:58

Export JSON

Essential information

Published
15/07/2026 13:58
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
browser extension cryptocurrency theft hdutil okobot okospyware rdp rilide seed phrase seedhunter ssh tunnel tevirat tookps vmprotect
Related entities
6 indicators, 6 observables, 20 techniques (mitre), 6 malware

Description

In January 2026, researchers identified a sophisticated malware framework dubbed OkoBot that targets cryptocurrency users through a multi-stage infection chain. The campaign begins with PowerShell scripts delivered via ClickFix attacks or fake software on GitHub. An automated SSH bot deploys over 20 malicious modules including HDUtil launcher, injectors installing Rilide stealer, and specialized tools like SeedHunter for wallet seed phrase theft and OkoSpyware for window capture. The framework uses obfuscation, UAC bypass techniques, and maintains persistence through access and scheduled tasks. Victims span more than 25 countries with concentrations in Brazil, Vietnam, Canada, Mexico, and Turkey. Attribution suggests Russian-speaking threat actors based on geoblocking patterns and Russian language artifacts.

External references