A sophisticated malware framework known as OkoBot has been actively targeting Windows systems since April 2025, with a particular focus on compromising hardware cryptocurrency wallets. One of its modules, dubbed SeedHunter, is designed to deceive users of Ledger and Trezor wallets into divulging their recovery phrases.
Upon infecting a system, SeedHunter monitors for the presence of Trezor Suite, Ledger Wallet, or Ledger Live applications. Once detected, it injects malicious code into these legitimate applications, manipulating their internal processes. The malware then communicates with a command-and-control (C2) server at ‘moonsand[.]store’ to receive further instructions.
Depending on the server’s directives, SeedHunter may wait until the user connects their hardware wallet via USB before displaying a counterfeit recovery phrase request within the genuine application interface. This deceptive tactic exploits the trust users place in their wallet software, leading them to unknowingly input their sensitive recovery phrases. The captured phrases are then exfiltrated to the attackers, enabling unauthorized access to the victims’ cryptocurrency assets.
OkoBot’s infiltration methods are multifaceted. One approach involves distributing trojanized software through platforms like GitHub. For instance, a repository masquerading as SQL Server Management Studio actually delivered a compromised version of the Audacity audio editor, embedded with malicious implants. This repository, which ranked highly in search results for ‘SSMS,’ remained active from late March to June 2025.
Another vector employs a PowerShell downloader known as TookPS, which has been observed since March 2025. This downloader installs an SSH client, establishes a connection to an attacker-controlled server, and sets up a reverse SSH tunnel. Through this tunnel, the malware exfiltrates sensitive data, including wallet files, browser cookies, and credentials. Additionally, it manipulates system settings to facilitate remote desktop access for the attackers.
OkoBot’s operations have been detected across more than 25 countries, with significant victim counts in Brazil, Vietnam, Canada, Mexico, and Turkey. The malware’s ability to integrate seamlessly into legitimate applications and its use of sophisticated evasion techniques underscore the evolving threats in the cybersecurity landscape.
For users of hardware wallets like Ledger and Trezor, this development highlights the critical importance of vigilance. Always ensure that recovery phrases are entered only during the initial device setup or when performing a legitimate recovery process. Be wary of unexpected prompts requesting sensitive information, even if they appear within trusted applications. Regularly updating software and maintaining robust security practices are essential defenses against such advanced threats.