SeedHunter is a Windows malware component within the OkoBot framework that targets cryptocurrency users by stealing recovery seed phrases from Ledger and Trezor wallet users. Rather than attacking hardware wallets directly, it compromises the endpoint and abuses trust in legitimate companion wallet applications. SeedHunter monitors infected systems for Trezor Suite, Ledger Wallet, and Ledger Live, injects into those processes, and hooks Electron application internals to present fraudulent recovery interfaces inside the legitimate software environment. It can optionally wait until a real Ledger or Trezor device is connected before triggering the phishing workflow, increasing plausibility and likely improving theft success.
The malware captures entered seed phrases from the compromised application context and exfiltrates them to attacker-controlled infrastructure. It also stores a locally encrypted copy of stolen data. SeedHunter is associated with broader OkoBot intrusions that used ClickFix lures and trojanized software as initial access vectors, followed by a PowerShell-based downloader, SSH-backed remote access, and staged deployment of additional implants. In observed operations, SeedHunter was delivered alongside other OkoBot modules including spyware, keylogging, browser theft, and process-injection components, indicating use in multi-stage financially motivated campaigns centered on cryptocurrency theft.
Victimology associated with OkoBot-linked SeedHunter activity spans more than 25 countries, with notable concentrations in Brazil, Vietnam, Canada, Mexico, and Türkiye. Public reporting has not definitively attributed the campaign to a known threat actor, though some tradecraft and development artifacts have been assessed as consistent with overlap in Russian-speaking cybercriminal ecosystems.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
5 distinct techniques documented for this family, organized by ATT&CK tactic.
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An OkoBot module that injects into legitimate hardware-wallet desktop applications and displays fake in-app recovery pages to steal wallet seed phrases, optionally waiting until a real Ledger or Trezor device is connected over USB.
A wallet-focused implant that injects into Trezor and Ledger applications, displays phishing seed-recovery pages, captures seed phrases, and exfiltrates them to C2.
A wallet-focused implant that injects into Trezor and Ledger applications, displays phishing seed-recovery pages, and steals seed phrases for exfiltration to C2.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.