OkoBot Malware Injects Fake Seed Prompts Into Ledger and Trezor Apps

Brendan Smith
Brendan Smith - Cybersecurity Analyst
9 Min Read
OkoBot malware trap around a hardware wallet recovery seed on a Windows PC.
OkoBot turns an infected Windows PC into a trap for hardware-wallet recovery phrases.

OkoBot malware is targeting Windows users who manage cryptocurrency from Ledger, Trezor, and other wallet applications. Kaspersky’s GReAT team says the active framework can arrive through ClickFix instructions or a fake GitHub software download, take control of the PC, and inject a false recovery screen into the genuine wallet application’s process. The hardware wallet is not the vulnerability: the warning sign is any request to type a recovery phrase on the Windows computer.[1]

The campaign has affected hundreds of users in more than 25 countries. Its modules do more than display a phishing form: they can collect browser cookies and wallet files, log keystrokes and clipboard data, record application windows, establish remote access, and exfiltrate the seed phrase. If you entered recovery words into a prompt on the PC, treat the wallet backup as compromised and respond from a clean device.

Fake Ledger and Trezor recovery phrase forms injected by OkoBot malware.
The SeedHunter module can place these fake recovery forms inside Ledger and Trezor companion applications. Source: Kaspersky GReAT.

Who is affected by OkoBot malware?

The highest-risk group is Windows users who recently pasted and ran a ClickFix command, installed software from an unfamiliar GitHub repository, or ran a package presented as SQL Server Management Studio or another trusted utility. A polished README, a high search position, or a GitHub release page does not prove that the executable is safe. Before running a download, use the checks in our EXE file safety guide.

Observed stage What it means for the user
ClickFix or fake GitHub software A command or trojanized application starts the TookPS downloader. The repository may look official even though its release is malicious.
Reverse SSH and remote access The attack can inventory the PC, collect browser and wallet data, alter RDP access, and retrieve more modules.
SeedHunter injection The module watches Ledger and Trezor processes and can display a fake recovery form when a hardware wallet is connected.
Keylogger and OkoSpyware Keystrokes, clipboard contents, screenshots, and video of selected wallet, password-manager, and browser windows may be captured.

Why the Ledger or Trezor window can look genuine

OkoBot does not need to replace the hardware wallet. Its SeedHunter module injects code into Ledger Wallet, Ledger Live, or Trezor Suite processes and hooks functions used by their Electron interface. The form can therefore appear inside an application the user already trusts. The malware may wait until it detects a connected Ledger or Trezor device before showing the prompt.

This distinction matters: an authentic-looking desktop window is not proof that the request is safe. Ledger states that the real Ledger Live app will never ask for the recovery phrase and that the words should never be entered on a computer or phone.[2] Trezor likewise says a wallet backup should be entered only when the Trezor device itself instructs the user and the action is confirmed on the device.[3]

How to check a Windows PC for OkoBot exposure

Do not rely on one missing file or one clean quick scan. Kaspersky observed several versions of the framework, and the attackers changed modules over time. Start with the event that created the risk, then look for corroborating changes:

  • You pasted a PowerShell or Run-dialog command after a CAPTCHA, browser verification, or update prompt.
  • You ran a GitHub download from a new repository that impersonated a well-known product. Our fake repository and developer-tool cleanup guide explains why the source and execution path matter.
  • A wallet application unexpectedly asked for 12, 20, or 24 recovery words on the PC.
  • A new scheduled task named Apple Sync, an unexpected member of the Remote Desktop Users group, or unexplained inbound RDP/firewall changes appeared.
  • Files such as %USERPROFILE%\.ssh\go.bat, %PROGRAMDATA%\HDVideo\HDUtil.exe, %PROGRAMDATA%\hwid.dat, %PROGRAMDATA%\oko_ver, %TEMP%\extl.exe, or %APPDATA%\hwid.dat are present without a legitimate explanation.
  • Windows Defender notifications were disabled unexpectedly, or termsrv.dll shows an unexplained modification.

An individual filename is not a verdict by itself. Record its full path, signer, hash, creation time, parent process, and the download or command that preceded it. The combination of a risky execution event, wallet prompt, persistence, and remote-access changes is much stronger evidence than a name alone.

What to do if OkoBot may be on the PC

  1. Stop using the wallet on that computer. Disconnect the hardware wallet, do not enter the seed phrase, and avoid approving transactions until you have a clean device.
  2. If the seed was entered, create a new wallet backup on a clean hardware device. Move assets to addresses controlled by the new seed as quickly and carefully as possible. Ledger’s guidance says that a phrase entered on an internet-connected device must be treated as exposed.[2] Do not reuse or merely re-import the old phrase.
  3. Preserve the clues. Save the suspicious URL, repository name, command, installer filename, security alerts, task names, and relevant timestamps. Do not run the file again.
  4. Isolate and scan the Windows PC. A security tool may remove the visible downloader while the reverse SSH task, RDP changes, injected module, browser theft, or another payload remains. Run a full Gridinsoft Anti-Malware scan, remove confirmed detections, reboot, and scan again before reconnecting the wallet.
  5. Review privileged changes. Check Task Scheduler, local users and groups, Remote Desktop settings, firewall rules, Defender settings, browser extensions, startup entries, and the listed file paths. If you confirm patched system files, an unknown privileged account, or persistent remote access, a clean Windows reinstall is safer than assuming manual deletion restored trust.
  6. Rotate exposed credentials from a clean device. Change important passwords, revoke browser sessions and API tokens, and review exchange and wallet activity. A malware scan cannot recover stolen credentials or prove that data was not copied.

Seed phrase prompt: the safe decision

Situation Action
The desktop app asks for recovery words Cancel. Do not type the phrase on the PC, even when the app window looks genuine.
You saw the prompt but entered nothing Disconnect the wallet, isolate the PC, preserve evidence, and complete malware and persistence checks.
You entered any recovery words Assume the backup is exposed. From a clean device, create a new seed and transfer assets to new addresses.
No prompt appeared, but a fake installer ran Treat the PC as potentially compromised because OkoBot also steals cookies, credentials, wallet files, and clipboard data.

A hardware wallet still protects keys when its backup remains offline and transactions are verified on the device. OkoBot’s lesson is narrower and more practical: once Windows is compromised, the computer screen cannot be trusted to ask for the most sensitive secret. For broader wallet architecture and storage decisions, see our hot versus cold wallet security guide.

References

  1. Yaroslav Kikel, Kaspersky GReAT. “OkoBot: new sophisticated malware framework targets cryptocurrency users.” Securelist, July 15, 2026. Primary research and indicators.
  2. Ledger. “Keep My Crypto Safe: 6 Essential Rules.” Ledger Academy, accessed July 15, 2026. Official recovery-phrase safety guidance.
  3. Trezor. “How to use a wallet backup.” Trezor Knowledge Base, accessed July 15, 2026. Official wallet-backup guidance.
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?