🟠 High | Source: The Hacker News
OkoBot is a Windows malware framework active since April 2025 that targets hardware cryptocurrency wallet users by injecting phishing overlays into legitimate Ledger and Trezor desktop applications. When a hardware wallet is connected, the malware displays a convincing prompt within the genuine wallet software requesting the user’s seed phrase — the master recovery key that grants full access to all funds. Because the surrounding application is real and trusted, victims have little visual reason to suspect the request is fraudulent.
Security Architect’s Take: Ensure endpoint security policies explicitly restrict process injection and UI overlay capabilities on corporate and BYOD Windows devices, and consider blocking or sandboxing cryptocurrency wallet applications entirely in managed environments. Educate any staff who use hardware wallets that legitimate Ledger and Trezor software will never prompt for a seed phrase on-screen — any such request should be treated as a compromise indicator and escalated immediately.
Original advisory: OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps