OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

Summary

The OkoBot malware framework, active since April 2025 on Windows, includes a module specifically designed to phish users for their hardware wallet recovery phrases. This module injects fake recovery phrase prompts into legitimate desktop applications for Ledger and Trezor wallets on infected machines.

IFF Assessment

FOE

This new malware technique directly targets cryptocurrency holders by stealing their recovery phrases, leading to the potential loss of their digital assets.

Defender Context

Defenders should be aware of sophisticated phishing techniques like OkoBot that integrate malicious prompts into trusted applications. Users of hardware wallets should exercise extreme caution and never enter their recovery phrases through unexpected pop-ups or within applications they did not explicitly open for that purpose.

Read Full Story →