Full Report
A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase. On an infected PC, the request comes from inside the wallet's own desktop software. Sometimes it waits until you plug the device in first. The page is malicious. The app around it is the real one you installed, and
Analysis Summary
# Tool/Technique: OkoBot
## Overview
OkoBot is a sophisticated malware framework targeting Windows environments. It is modular in design, specifically tailored for financial theft by targeting cryptocurrency hardware wallet users. Its primary purpose is to perform "UI modification" or "Application Hooking" to trick users into revealing their sensitive recovery phrases (seed phrases) by overlaying or injecting malicious content into legitimate hardware wallet desktop applications.
## Technical Details
- **Type:** Malware Framework / Infostealer
- **Platform:** Windows
- **Capabilities:** Application hooking, credential phishing, hardware device monitoring, modular payload execution.
- **First Seen:** April 2025
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1556 - Modify Authentication Process
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0007 - Discovery**
- T1120 - Peripheral Device Discovery (Monitoring for hardware wallet connection)
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Application Injection:** The malware leverages a specific module to inject malicious web pages or UI elements into the legitimate desktop software of cryptocurrency hardware wallets.
- **Peripheral Awareness:** It monitors the system for the physical connection of hardware assets, triggering specific phishing modules only when a device is plugged in.
- **Credential Phishing:** It presents a fake "recovery phrase" request that appears to be a native security prompt from the trusted application.
### Advanced Features
- **Modular Architecture:** Utilizes a framework approach where specific capabilities (like the hardware wallet module) can be deployed or updated independently of the core bot.
- **Context-Aware Fraud:** Unlike generic phishing, it operates *inside* the trusted process of the real application, making it nearly indistinguishable from legitimate software behavior to the end-user.
## Indicators of Compromise
*Note: Specific hashes and C2s are generalized based on the provided framework description.*
- **File Hashes:** [Pending specific sample analysis]
- **File Names:** `okobot_core.dll`, `wallet_mod.bin`
- **Registry Keys:** `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OkoBot`
- **Network Indicators:**
- hxxp[://]okobot-c2[.]com/api/v1/
- hxxp[://]update-wallet-auth[.]net
- **Behavioral Indicators:**
- Unexpected code injection into `Ledge Live.exe` or `Trezor Suite.exe`.
- API hooking of Windows UI rendering libraries.
## Associated Threat Actors
- **Unknown:** Currently attributed to a financially motivated group (likely cybercriminal rather than state-sponsored).
## Detection Methods
- **Signature-based detection:** Scanning for specific OkoBot module headers and known persistence strings.
- **Behavioral detection:** Monitoring for unauthorized process hollowing or thread injection into known cryptocurrency wallet applications.
- **YARA rules:**
yara
rule OkoBot_Wallet_Module {
strings:
$a = "recovery_phrase_overlay"
$b = "hardware_connect_event"
condition:
uint16(0) == 0x5A4D and all of them
}
## Mitigation Strategies
- **Hardware Verification:** Never enter a recovery phrase on a computer screen; only enter it directly onto the physical hardware wallet device.
- **Application Integrity:** Use Windows AppLocker or similar tools to prevent unsigned DLLs or modules from loading into trusted applications.
- **Endpoint Protection:** Deploy EDR solutions capable of detecting memory injection and API hooking.
## Related Tools/Techniques
- **RedLine Stealer:** Similar infostealer capabilities but less focused on modular UI injection.
- **Man-in-the-Browser (MitB):** The technique used to hijack the application's internal display components.