OkoBot framework infection chain
Essential information
- Published
- 15/07/2026 13:58
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- browser extension cryptocurrency theft hdutil okobot okospyware rdp rilide seed phrase seedhunter ssh tunnel tevirat tookps vmprotect
- Related entities
- 6 indicators, 6 observables, 20 techniques (mitre), 6 malware
Description
In January 2026, researchers identified a sophisticated malware framework dubbed OkoBot that targets cryptocurrency users through a multi-stage infection chain. The campaign begins with TookPS PowerShell scripts delivered via ClickFix attacks or fake software on GitHub. An automated SSH bot deploys over 20 malicious modules including HDUtil launcher, browser extension injectors installing Rilide stealer, and specialized tools like SeedHunter for wallet seed phrase theft and OkoSpyware for window capture. The framework uses VMProtect obfuscation, UAC bypass techniques, and maintains persistence through RDP access and scheduled tasks. Victims span more than 25 countries with concentrations in Brazil, Vietnam, Canada, Mexico, and Turkey. Attribution suggests Russian-speaking threat actors based on geoblocking patterns and Russian language artifacts.