VYPR
researchPublished Jul 15, 2026· 1 source

OkoBot Malware Framework Targets Cryptocurrency Users with Multi-Stage Attacks

A sophisticated new malware framework, OkoBot, is actively targeting cryptocurrency users through a complex, multi-stage infection chain involving SSH tunnels and over 20 malicious payloads.

Kaspersky researchers have uncovered OkoBot, a new and sophisticated malware framework designed to steal cryptocurrency from unsuspecting users. This threat operates through a multi-stage infection chain, initiated by a malicious PowerShell script known as TookPS. The framework's complexity and the variety of its malicious payloads, exceeding 20 in number, highlight a significant evolution in cybercriminal tactics targeting digital assets.

The initial infection vector for OkoBot is multifaceted, primarily employing a ClickFix attack or distributing malware disguised as legitimate software. One notable example involved a fake SQL Server Management Studio (SSMS) package hosted on GitHub. This package, which was actually a compiled version of the Audacity audio editor embedded with a malicious implant, was strategically placed to appear high in search results, thereby gaining user trust before execution.

Once executed, the TookPS script establishes an SSH tunnel on the victim's system, connecting to an attacker-controlled server. This tunnel is crucial for subsequent payload delivery and command execution. Following a delay, an automated SSH bot connects to the forwarded port, initiating the data exfiltration phase. This bot is responsible for collecting sensitive system information, including installed antivirus software, IP addresses, and operating system details, alongside harvesting cryptocurrency wallet files and other credentials.

To ensure persistence and facilitate further compromise, the OkoBot framework employs several advanced techniques. It disables Windows Defender notifications through registry modifications and gains access to the graphical session by opening RDP ports, adding a user to the 'Remote Desktop Users' group, and replacing the legitimate termsrv.dll with a patched version to allow multiple concurrent RDP sessions. A scheduled task named 'Apple Sync' is created to maintain a reverse SSH tunnel, forwarding the local RDP port hourly.

Among the numerous malicious modules deployed by OkoBot is the TeviRAT backdoor, which fetches further malicious components. The framework also utilizes a launcher utility called HDUtil, protected by VMProtect and heavily obfuscated, to deploy various modules via target commands. This launcher verifies its execution environment by checking a hardware ID file, terminating if the environment is not as expected, demonstrating a robust self-protection mechanism.

The evolution of OkoBot shows a clear progression from earlier TookPS campaigns. While previous versions focused on delivering infostealers or TeviRAT with SSH installers, the current framework is more integrated, with TookPS primarily serving as the initial infection vector and an automated SSH bot orchestrating the deployment of a wide array of malicious payloads. The abandonment of older components like the HDUtil launcher and TeviRAT in favor of new Volume2 plugins indicates ongoing development and adaptation by the threat actors.

The OkoBot framework's comprehensive approach, from initial infection and persistence to data exfiltration and the use of a sophisticated SSH bot, poses a significant threat to cryptocurrency users. The continuous development and the sheer number of payloads suggest that OkoBot is an active and evolving threat that requires vigilant monitoring and robust security measures to counter its sophisticated attack methodologies.

Synthesized by Vypr AI