Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

Kaspersky: OkoBot phishes seeds inside Ledger, Trezor apps

Kaspersky's GReAT team says OkoBot has hooked Electron in Ledger and Trezor apps since April 2025 to draw a fake seed-phrase prompt inside the real wallet UI.

Kaspersky: OkoBot phishes seeds inside Ledger, Trezor apps
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap airgap · Published · 4 min read

New disclosure, single primary source. Kaspersky’s GReAT team named a Windows malware framework OkoBot on July 15, 2026, and detailed its recovery-phrase theft module — SeedHunter — which hooks Electron internals inside the running Ledger Live, Ledger Wallet, and Trezor Suite processes and draws a fake seed-entry page. The prompt looks like the vendor’s own because it is being rendered by the vendor’s own signed binary. Attribution: not made. Victim count: not stated.

What was reported

  • Framework name: OkoBot. Recovery-phrase module: SeedHunter. Confidence: high — both names are Kaspersky’s own.
  • Time in the wild: active since April 2025 per Kaspersky. Fifteen months before this writeup. Confidence: high as reported.
  • Targets: Ledger Live, Ledger Wallet, Trezor Suite. Confidence: high as reported. Other Electron-based wallet clients are not called out in the disclosure — read absence as “not tested,” not “confirmed safe.”
  • Behavior: the module hooks Electron framework internals in the wallet process at runtime, then displays a recovery-phrase entry page inside that process. Keystrokes are captured before they reach the real wallet code. Confidence: high at the level of characterization; Kaspersky has not, so far, released the runtime hook offsets or sample bytes publicly.
  • Attribution: Kaspersky wrote it can not attribute the campaign to a known crimeware actor. Soft indicators only — Russian-language code comments, and C2 responses that refuse Russian and CIS IP ranges. That is a pattern, not an actor.

How it gets there

Two initial-access paths named by Kaspersky:

  • ClickFix-style social-engineering lures. The generic pattern — a page instructing the target to paste something into Run or a terminal — has been the dominant Windows initial-access vector for a year. Nothing wallet-specific about it.
  • Trojanized software on GitHub. A fake SQL Server Management Studio repository shipped a poisoned Audacity build between March and June 2025. That is a four-month window during which any Windows host that installed from the repo can be assumed to have taken the loader.

Both paths drop TookPS, a PowerShell downloader Kaspersky has been tracking since March 2025. TookPS stages the OkoBot components; SeedHunter is one module among others in the framework.

Why the design matters

The trust boundary the attacker is spoofing is not the operating system’s. It is the user’s mental model of “the wallet software is the safe part.”

Hardware wallets exist so the seed never touches the host. Every vendor has said, in effect: the phrase does not leave the device, and our app will not ask for it. That statement is still true. SeedHunter does not violate it. What SeedHunter does is render a page that looks like the vendor’s app — because it is running inside the vendor’s app — and asks anyway. The signed binary, the correct window title, the correct icon, the correct fonts, all remain valid. Every visual trust cue is honored. Only the code drawing the recovery-phrase form is hostile.

That is the whole point of hooking Electron rather than pushing a standalone phishing window: a separate window is easy to disbelieve, a prompt inside the app is not.

IOCs, as reported by Kaspersky

  • C2 domain: moonsand[.]store
  • Scheduled task: Apple Sync
  • File artifacts: %PROGRAMDATA%\hwid.dat, %PROGRAMDATA%\HDVideo\HDUtil.exe

These are the artifacts named in the writeup. As with any modular loader, absence of these specific paths does not equal absence of the framework — treat them as detection starting points, not as a scoping rule.

Vendor position, restated

Ledger: the recovery phrase never leaves the device. Trezor: normal use never requires typing the backup. Both statements are correct. Both are also the reason SeedHunter has to spoof the ask inside a legitimate signed process to succeed — the direct route was closed years ago.

The guidance that survives this disclosure unchanged: no legitimate wallet flow will ever prompt for the recovery phrase on the host machine. A hardware-wallet app that asks for the seed is compromised. That rule holds whether the app is unsigned, signed, freshly installed, or running exactly as expected in every other respect.

What to do if a Windows host has run software from the flagged sources

Confidence on the following: high — this is standard host-triage guidance, not framework-specific.

  • If a machine installed an Audacity build from any GitHub repo styled as “SSMS,” or ran a ClickFix-pattern paste-into-terminal instruction between March 2025 and today, treat the host as compromised until proven otherwise. “Delete the binary” is not that proof.
  • Assume any seed phrase typed on that host during that window is exposed. Rotate funds off any wallet whose seed was ever entered on the machine. The device itself is fine to re-initialize; the seed is not.
  • The Apple Sync scheduled task and the two %PROGRAMDATA% artifacts are a starting point for detection sweeps across a fleet, not a full cleanup checklist. The framework is modular.

Watching for

  • Follow-on IOCs. Kaspersky’s initial writeup names one C2 and three filesystem artifacts. Sample hashes, additional C2 infrastructure, or the Electron hook offsets would let EDR vendors and hosting providers move against the delivery footprint faster than domain-blocking one store-suffix domain.
  • Additional wallet targets. Only three wallet clients are named. Any Electron-based wallet UI is architecturally in scope for the same hooking approach; whether the SeedHunter build in the wild handles them is a separate question the disclosure does not answer.
  • Attribution updates. Kaspersky’s current statement is that no known actor fits. If a threat-intel vendor asserts overlap later, read the confidence language — “assessed with moderate confidence” is not “confirmed.”

For adjacent wallet-targeting activity from the same news window, see Compromised @injectivelabs/sdk-ts 1.20.21 pushes wallet stealer — different vector (npm supply chain), same downstream goal — and KU Leuven flags address-linking risk in 85 crypto wallet extensions on the browser-extension side.

Sourcing

Found this useful? Share it.