Threat Summary
The OkoBot framework represents a sophisticated multi-stage malware campaign targeting cryptocurrency users, particularly in Brazil, Canada, and Mexico. This threat intelligence analysis reveals a modular malware ecosystem orchestrated through an automated SSH botnet that deploys over 20 malicious components. The campaign begins with TookPS PowerShell scripts delivered via ClickFix attacks or counterfeit software hosted on GitHub repositories. Once initial access is established, the framework deploys specialized components including the HDUtil launcher, Rilide browser extension injector, TeviRAT for remote access, SeedHunter for wallet seed phrase extraction, and OkoSpyware for persistent surveillance. The primary objective appears to be comprehensive cryptocurrency theft through browser hijacking and credential harvesting, with the modular nature of the framework suggesting a mature operation with financial motivations.
Threat Actor / Malware Profile
OkoBot Framework
- Distribution Method: Initial access achieved through TookPS PowerShell scripts delivered via ClickFix attacks (fake software updates) and counterfeit packages on GitHub repositories
- Payload Behavior: Modular framework deploying 20+ components including HDUtil launcher, browser extension injectors, and specialized cryptocurrency theft modules
- C2 Communication: Utilizes SSH tunneling for encrypted command and control infrastructure, leveraging compromised legitimate domains for resilience
- Persistence Mechanism: Scheduled tasks, registry modifications, and malicious browser extensions maintain long-term access
- Anti-Analysis Techniques: PowerShell script obfuscation, VM detection capabilities, and encrypted SSH tunneling to evade network detection
Component Analysis
TookPS: PowerShell-based initial access component responsible for establishing foothold and downloading subsequent stages. Delivered through social engineering techniques including ClickFix attacks.
TeviRAT: Remote Access Trojan component providing attackers with manual control capabilities for data exfiltration and lateral movement.
Rilide: Malicious browser extension injector specifically targeting cryptocurrency wallet extensions. Capable of stealing credentials, manipulating transactions, and extracting stored wallet data.
SeedHunter: Specialized module for cryptocurrency wallet seed phrase extraction, targeting wallet storage locations and clipboard data.
OkoSpyware: Surveillance component for persistent monitoring including keylogging and screen capture capabilities.
HDUtil: Launcher component responsible for deployment and execution of other malware modules in the framework.
IOC Analysis
The provided IOCs include:
- 4 domain names used for C2 infrastructure: coffeesaloon.online, livewallpapers.online, 2baserec2.guru, kbeautyreviews.com
- 4 MD5 file hashes associated with malware components: b07d451ee65a1580f20a784c8f0e7a46, 187a1f68ae786e53d3831166dc84e6d2, d84e8dc509308523e0209d3cd3544619, 83e6b8fcb92a0b13e109301f8ff649cf
SOC teams should operationalize these indicators by:
- Blocking domains at network perimeter devices (firewalls, DNS servers)
- Creating detection rules for processes attempting to connect to these domains
- Scanning endpoints for files matching the provided MD5 hashes
- Monitoring for PowerShell scripts with characteristics matching TookPS behavior
- Implementing network traffic analysis to identify SSH tunneling patterns
Tooling for decoding and analyzing these indicators includes:
- VirusTotal for malware sample analysis
- Domain analysis tools like Whois, DomainTools, and PassiveTotal
- Network analysis tools like Wireshark for SSH tunneling detection
- EDR solutions for endpoint detection and response
Detection Engineering
---
title: Suspicious PowerShell Execution with TookPS Patterns
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects PowerShell execution patterns consistent with TookPS malware component delivered via ClickFix attacks
status: experimental
author: Security Arsenal
date: 2026/07/18
references:
- https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: '\powershell.exe'
CommandLine|contains:
- 'ClickFix'
- 'GitHub'
- 'FromBase64String'
condition: selection
falsepositives:
- Legitimate system administration using PowerShell with base64 encoded commands
level: high
---
title: Network Connections to OkoBot C2 Domains
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
description: Detects connections to domains associated with OkoBot C2 infrastructure
status: experimental
author: Security Arsenal
date: 2026/07/18
references:
- https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
product: windows
service: dns
detection:
selection:
QueryName|contains:
- 'coffeesaloon.online'
- 'livewallpapers.online'
- '2baserec2.guru'
- 'kbeautyreviews.com'
condition: selection
falsepositives:
- Legitimate connections to similarly named domains
level: critical
---
title: Suspicious Browser Extension Installation Pattern
id: c3d4e5f6-a7b8-9012-cdef-123456789012
description: Detects potential Rilide browser extension injection activity
status: experimental
author: Security Arsenal
date: 2026/07/18
references:
- https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
tags:
- attack.persistence
- attack.t1176
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Extensions\'
- '\Mozilla\Firefox\Profiles\extensions\'
- '\Microsoft\Edge\User Data\Default\Extensions\'
CreationTime|re: '\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}'
timeframe: 7d
condition: selection
falsepositives:
- Legitimate browser extension installations
level: medium
kql
// Hunt for connections to OkoBot C2 domains
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any ("coffeesaloon.online", "livewallpapers.online", "2baserec2.guru", "kbeautyreviews.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
// Hunt for PowerShell processes with suspicious characteristics
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any ("ClickFix", "FromBase64String", "IEX")
| where ProcessCommandLine contains "GitHub"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
// Hunt for browser extension modifications
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine contains_any ("Chrome", "Firefox", "Edge")
| where ProcessCommandLine contains "--load-extension"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
powershell
# OkoBot Framework IOC Hunter
# This script checks for indicators related to OkoBot malware framework
# Initialize results array
$results = @()
# 1. Check for malicious files by hash
Write-Host "Checking for malicious file hashes..." -ForegroundColor Cyan
$maliciousHashes = @(
"b07d451ee65a1580f20a784c8f0e7a46",
"187a1f68ae786e53d3831166dc84e6d2",
"d84e8dc509308523e0209d3cd3544619",
"83e6b8fcb92a0b13e109301f8ff649cf"
)
# Search common directories for files with matching hashes
$commonPaths = @(
"$env:TEMP",
"$env:APPDATA",
"$env:LOCALAPPDATA",
"$env:USERPROFILE\Downloads"
)
foreach ($path in $commonPaths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
if ($maliciousHashes -contains $fileHash) {
$results += [PSCustomObject]@{
Type = "Malicious File"
Path = $_.FullName
Hash = $fileHash
Details = "File matches known OkoBot hash"
}
}
} catch {
# File might be inaccessible, skip
}
}
}
}
# 2. Check for DNS entries for C2 domains in hosts file
Write-Host "Checking for malicious DNS entries..." -ForegroundColor Cyan
$hostsFile = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @(
"coffeesaloon.online",
"livewallpapers.online",
"2baserec2.guru",
"kbeautyreviews.com"
)
if (Test-Path $hostsFile) {
$hostsContent = Get-Content $hostsFile -ErrorAction SilentlyContinue
foreach ($domain in $maliciousDomains) {
if ($hostsContent -match $domain) {
$results += [PSCustomObject]@{
Type = "Malicious DNS Entry"
Path = $hostsFile
Details = "Hosts file contains entry for $domain"
}
}
}
}
# 3. Check for suspicious browser extensions
Write-Host "Checking for suspicious browser extensions..." -ForegroundColor Cyan
$browserPaths = @(
"$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions",
"$env:APPDATA\Mozilla\Firefox\Profiles",
"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"
)
foreach ($path in $browserPaths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Directory -ErrorAction SilentlyContinue | ForEach-Object {
# Check for recently modified extensions (last 30 days)
$lastModified = $_.LastWriteTime
if ((Get-Date).AddDays(-30) -lt $lastModified) {
$results += [PSCustomObject]@{
Type = "Recently Modified Browser Extension"
Path = $_.FullName
Details = "Last modified: $($lastModified.ToString())"
}
}
}
}
}
# 4. Check for scheduled tasks related to HDUtil or TookPS
Write-Host "Checking for suspicious scheduled tasks..." -ForegroundColor Cyan
$scheduledTasks = Get-ScheduledTask -ErrorAction SilentlyContinue
$suspiciousTaskNames = @("HDUtil", "TookPS", "OkoBot")
foreach ($task in $scheduledTasks) {
foreach ($name in $suspiciousTaskNames) {
if ($task.TaskName -like "*$name*") {
$results += [PSCustomObject]@{
Type = "Suspicious Scheduled Task"
Path = $task.TaskPath
Details = "Task: $($task.TaskName), State: $($task.State)"
}
}
}
}
# 5. Check for registry persistence mechanisms
Write-Host "Checking for suspicious registry entries..." -ForegroundColor Cyan
$registryPaths = @(
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($path in $registryPaths) {
if (Test-Path $path) {
Get-Item -Path $path -ErrorAction SilentlyContinue | ForEach-Object {
$properties = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
foreach ($property in $properties.PSObject.Properties) {
if ($property.Name -ne "PSPath" -and $property.Name -ne "PSParentPath" -and
$property.Name -ne "PSChildName" -and $property.Name -ne "PSDrive" -and
$property.Name -ne "PSProvider") {
$value = $property.Value
if ($value -match "powershell" -and $value -match "FromBase64String") {
$results += [PSCustomObject]@{
Type = "Suspicious Registry Entry"
Path = "$($_.Name)\$($property.Name)"
Details = "Value: $value"
}
}
}
}
}
}
}
# Display results
if ($results.Count -gt 0) {
Write-Host "`n`n=== POTENTIAL INDICATORS FOUND ===" -ForegroundColor Yellow
$results | Format-Table -AutoSize
} else {
Write-Host "`n`nNo indicators of OkoBot framework detected." -ForegroundColor Green
}
Response Priorities
Immediate
- Block all identified domains at network perimeter devices
- Scan endpoints for malicious file hashes
- Hunt for PowerShell scripts matching TookPS characteristics
- Implement network monitoring for SSH tunneling to identified domains
24 Hours
- Conduct identity verification for employees who may have been targeted
- Review cryptocurrency wallet security measures
- Audit browser extensions across the organization
- Investigate any suspicious SSH connections to external domains
1 Week
- Implement application whitelisting for PowerShell execution
- Enhance email filtering to detect ClickFix attack patterns
- Establish monitoring for unauthorized SSH tunneling
- Deploy browser extension management policies
- Conduct security awareness training focused on cryptocurrency threats
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.