Back to Intelligence

OkoBot Framework with TookPS + Rilide Injector: Multi-Stage Cryptojacking Infrastructure — OTX Pulse Analysis

SA
Security Arsenal Team
July 17, 2026
8 min read

Threat Summary

The OkoBot framework represents a sophisticated multi-stage malware campaign targeting cryptocurrency users, particularly in Brazil, Canada, and Mexico. This threat intelligence analysis reveals a modular malware ecosystem orchestrated through an automated SSH botnet that deploys over 20 malicious components. The campaign begins with TookPS PowerShell scripts delivered via ClickFix attacks or counterfeit software hosted on GitHub repositories. Once initial access is established, the framework deploys specialized components including the HDUtil launcher, Rilide browser extension injector, TeviRAT for remote access, SeedHunter for wallet seed phrase extraction, and OkoSpyware for persistent surveillance. The primary objective appears to be comprehensive cryptocurrency theft through browser hijacking and credential harvesting, with the modular nature of the framework suggesting a mature operation with financial motivations.

Threat Actor / Malware Profile

OkoBot Framework

  • Distribution Method: Initial access achieved through TookPS PowerShell scripts delivered via ClickFix attacks (fake software updates) and counterfeit packages on GitHub repositories
  • Payload Behavior: Modular framework deploying 20+ components including HDUtil launcher, browser extension injectors, and specialized cryptocurrency theft modules
  • C2 Communication: Utilizes SSH tunneling for encrypted command and control infrastructure, leveraging compromised legitimate domains for resilience
  • Persistence Mechanism: Scheduled tasks, registry modifications, and malicious browser extensions maintain long-term access
  • Anti-Analysis Techniques: PowerShell script obfuscation, VM detection capabilities, and encrypted SSH tunneling to evade network detection

Component Analysis

TookPS: PowerShell-based initial access component responsible for establishing foothold and downloading subsequent stages. Delivered through social engineering techniques including ClickFix attacks.

TeviRAT: Remote Access Trojan component providing attackers with manual control capabilities for data exfiltration and lateral movement.

Rilide: Malicious browser extension injector specifically targeting cryptocurrency wallet extensions. Capable of stealing credentials, manipulating transactions, and extracting stored wallet data.

SeedHunter: Specialized module for cryptocurrency wallet seed phrase extraction, targeting wallet storage locations and clipboard data.

OkoSpyware: Surveillance component for persistent monitoring including keylogging and screen capture capabilities.

HDUtil: Launcher component responsible for deployment and execution of other malware modules in the framework.

IOC Analysis

The provided IOCs include:

  • 4 domain names used for C2 infrastructure: coffeesaloon.online, livewallpapers.online, 2baserec2.guru, kbeautyreviews.com
  • 4 MD5 file hashes associated with malware components: b07d451ee65a1580f20a784c8f0e7a46, 187a1f68ae786e53d3831166dc84e6d2, d84e8dc509308523e0209d3cd3544619, 83e6b8fcb92a0b13e109301f8ff649cf

SOC teams should operationalize these indicators by:

  1. Blocking domains at network perimeter devices (firewalls, DNS servers)
  2. Creating detection rules for processes attempting to connect to these domains
  3. Scanning endpoints for files matching the provided MD5 hashes
  4. Monitoring for PowerShell scripts with characteristics matching TookPS behavior
  5. Implementing network traffic analysis to identify SSH tunneling patterns

Tooling for decoding and analyzing these indicators includes:

  • VirusTotal for malware sample analysis
  • Domain analysis tools like Whois, DomainTools, and PassiveTotal
  • Network analysis tools like Wireshark for SSH tunneling detection
  • EDR solutions for endpoint detection and response

Detection Engineering

YAML
---
title: Suspicious PowerShell Execution with TookPS Patterns
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects PowerShell execution patterns consistent with TookPS malware component delivered via ClickFix attacks
status: experimental
author: Security Arsenal
date: 2026/07/18
references:
    - https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'ClickFix'
            - 'GitHub'
            - 'FromBase64String'
    condition: selection
falsepositives:
    - Legitimate system administration using PowerShell with base64 encoded commands
level: high
---
title: Network Connections to OkoBot C2 Domains
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
description: Detects connections to domains associated with OkoBot C2 infrastructure
status: experimental
author: Security Arsenal
date: 2026/07/18
references:
    - https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: windows
    service: dns
detection:
    selection:
        QueryName|contains:
            - 'coffeesaloon.online'
            - 'livewallpapers.online'
            - '2baserec2.guru'
            - 'kbeautyreviews.com'
    condition: selection
falsepositives:
    - Legitimate connections to similarly named domains
level: critical
---
title: Suspicious Browser Extension Installation Pattern
id: c3d4e5f6-a7b8-9012-cdef-123456789012
description: Detects potential Rilide browser extension injection activity
status: experimental
author: Security Arsenal
date: 2026/07/18
references:
    - https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
tags:
    - attack.persistence
    - attack.t1176
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Extensions\'
            - '\Mozilla\Firefox\Profiles\extensions\'
            - '\Microsoft\Edge\User Data\Default\Extensions\'
        CreationTime|re: '\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}'
    timeframe: 7d
    condition: selection
falsepositives:
    - Legitimate browser extension installations
level: medium


kql
// Hunt for connections to OkoBot C2 domains
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any ("coffeesaloon.online", "livewallpapers.online", "2baserec2.guru", "kbeautyreviews.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Hunt for PowerShell processes with suspicious characteristics
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_any ("ClickFix", "FromBase64String", "IEX")
| where ProcessCommandLine contains "GitHub"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for browser extension modifications
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine contains_any ("Chrome", "Firefox", "Edge")
| where ProcessCommandLine contains "--load-extension"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
# OkoBot Framework IOC Hunter
# This script checks for indicators related to OkoBot malware framework

# Initialize results array
$results = @()

# 1. Check for malicious files by hash
Write-Host "Checking for malicious file hashes..." -ForegroundColor Cyan
$maliciousHashes = @(
    "b07d451ee65a1580f20a784c8f0e7a46",
    "187a1f68ae786e53d3831166dc84e6d2",
    "d84e8dc509308523e0209d3cd3544619",
    "83e6b8fcb92a0b13e109301f8ff649cf"
)

# Search common directories for files with matching hashes
$commonPaths = @(
    "$env:TEMP",
    "$env:APPDATA",
    "$env:LOCALAPPDATA",
    "$env:USERPROFILE\Downloads"
)

foreach ($path in $commonPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            try {
                $fileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
                if ($maliciousHashes -contains $fileHash) {
                    $results += [PSCustomObject]@{
                        Type = "Malicious File"
                        Path = $_.FullName
                        Hash = $fileHash
                        Details = "File matches known OkoBot hash"
                    }
                }
            } catch {
                # File might be inaccessible, skip
            }
        }
    }
}

# 2. Check for DNS entries for C2 domains in hosts file
Write-Host "Checking for malicious DNS entries..." -ForegroundColor Cyan
$hostsFile = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @(
    "coffeesaloon.online",
    "livewallpapers.online",
    "2baserec2.guru",
    "kbeautyreviews.com"
)

if (Test-Path $hostsFile) {
    $hostsContent = Get-Content $hostsFile -ErrorAction SilentlyContinue
    foreach ($domain in $maliciousDomains) {
        if ($hostsContent -match $domain) {
            $results += [PSCustomObject]@{
                Type = "Malicious DNS Entry"
                Path = $hostsFile
                Details = "Hosts file contains entry for $domain"
            }
        }
    }
}

# 3. Check for suspicious browser extensions
Write-Host "Checking for suspicious browser extensions..." -ForegroundColor Cyan
$browserPaths = @(
    "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions",
    "$env:APPDATA\Mozilla\Firefox\Profiles",
    "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Extensions"
)

foreach ($path in $browserPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Directory -ErrorAction SilentlyContinue | ForEach-Object {
            # Check for recently modified extensions (last 30 days)
            $lastModified = $_.LastWriteTime
            if ((Get-Date).AddDays(-30) -lt $lastModified) {
                $results += [PSCustomObject]@{
                    Type = "Recently Modified Browser Extension"
                    Path = $_.FullName
                    Details = "Last modified: $($lastModified.ToString())"
                }
            }
        }
    }
}

# 4. Check for scheduled tasks related to HDUtil or TookPS
Write-Host "Checking for suspicious scheduled tasks..." -ForegroundColor Cyan
$scheduledTasks = Get-ScheduledTask -ErrorAction SilentlyContinue
$suspiciousTaskNames = @("HDUtil", "TookPS", "OkoBot")

foreach ($task in $scheduledTasks) {
    foreach ($name in $suspiciousTaskNames) {
        if ($task.TaskName -like "*$name*") {
            $results += [PSCustomObject]@{
                Type = "Suspicious Scheduled Task"
                Path = $task.TaskPath
                Details = "Task: $($task.TaskName), State: $($task.State)"
            }
        }
    }
}

# 5. Check for registry persistence mechanisms
Write-Host "Checking for suspicious registry entries..." -ForegroundColor Cyan
$registryPaths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

foreach ($path in $registryPaths) {
    if (Test-Path $path) {
        Get-Item -Path $path -ErrorAction SilentlyContinue | ForEach-Object {
            $properties = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
            foreach ($property in $properties.PSObject.Properties) {
                if ($property.Name -ne "PSPath" -and $property.Name -ne "PSParentPath" -and 
                    $property.Name -ne "PSChildName" -and $property.Name -ne "PSDrive" -and 
                    $property.Name -ne "PSProvider") {
                    $value = $property.Value
                    if ($value -match "powershell" -and $value -match "FromBase64String") {
                        $results += [PSCustomObject]@{
                            Type = "Suspicious Registry Entry"
                            Path = "$($_.Name)\$($property.Name)"
                            Details = "Value: $value"
                        }
                    }
                }
            }
        }
    }
}

# Display results
if ($results.Count -gt 0) {
    Write-Host "`n`n=== POTENTIAL INDICATORS FOUND ===" -ForegroundColor Yellow
    $results | Format-Table -AutoSize
} else {
    Write-Host "`n`nNo indicators of OkoBot framework detected." -ForegroundColor Green
}

Response Priorities

Immediate

  • Block all identified domains at network perimeter devices
  • Scan endpoints for malicious file hashes
  • Hunt for PowerShell scripts matching TookPS characteristics
  • Implement network monitoring for SSH tunneling to identified domains

24 Hours

  • Conduct identity verification for employees who may have been targeted
  • Review cryptocurrency wallet security measures
  • Audit browser extensions across the organization
  • Investigate any suspicious SSH connections to external domains

1 Week

  • Implement application whitelisting for PowerShell execution
  • Enhance email filtering to detect ClickFix attack patterns
  • Establish monitoring for unauthorized SSH tunneling
  • Deploy browser extension management policies
  • Conduct security awareness training focused on cryptocurrency threats

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptokobot-frameworkcryptocurrency-theftrilide-injectorssh-tunnelingtevirat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.