OkoBot New Sophisticated Malware Framework Targets Cryptocurrency Users
OkoBot: New Sophisticated Malware Framework Targets Cryptocurrency Users
🚨 In January 2026, multiple attacks involving unknown malware targeting cryptocurrency wallet windows were identified. This sophisticated infection chain consists of four tightly linked stages initiated by the malicious PowerShell script TookPS. Dubbed “OkoBot,” this campaign employs a new framework to deliver malicious modules and orchestrate them via an SSH tunnel, including over 20 malicious payloads and implants. As of now, the threat remains active.
Infection Chain
The initial infection is primarily delivered through two vectors: a ClickFix attack and malware disguised as legitimate software, such as a fake SQL Server Management Studio (SSMS) package. Both vectors trigger TookPS, which installs SSH on the victim’s system, establishes a connection to the attacker-controlled SSH server, and forwards the SSH daemon port.
Automated SSH Bot
Following a delay, an automated SSH bot connects to the forwarded port, collecting system information and harvesting cryptocurrency wallet files, browser cookies, profiles, and other credentials through an SSH tunnel. It also disables Windows Defender notifications via a registry modification and gains access to the graphical session on the victim’s system.
Malicious Modules
One of the deployed modules is HDUtil, an auxiliary utility heavily obfuscated and protected with VMProtect. This launcher is used by the SSH bot to deploy various malicious modules. The first malicious module delivered is a heavily obfuscated DLL injector, extl.exe, which installs malicious browser extensions and hides them from the user.
For more detailed information, you can read the complete article here: Read full article