Date: 07/16/2026
Severity: High
Summary
In January 2026, multiple attacks were detected using unknown malware to steal cryptocurrency wallet data. Investigators reconstructed a complex, four-stage infection chain linked to a malicious PowerShell script. This campaign stands out by using a new framework to deliver and orchestrate all malicious modules. An SSH tunnel is uniquely deployed to manage and coordinate the components of the operation. The extensive framework contains over 20 distinct payloads and implants with diverse functions. The threat actor's malicious campaign remains actively ongoing at the time of writing.
Indicators of Compromise (IOC) List
Domains/URLs | 2baserec2.guru recavb22.online kbeautyreviews.com coffeesaloon.online livewallpapers.online thatwascringe.com moonsand.store |
IP Address | 104.243.43.16 104.243.32.213 62.210.188.209 |
Hash | B07D451EE65A1580F20A784C8F0E7A46
187A1F68AE786E53D3831166DC84E6D2
D84E8DC509308523E0209D3CD3544619
83E6B8FCB92A0B13E109301F8FF649CF
7306885BB4C98F2A9F056104CF092BC9
B4C2E16CDB513BE4DC798F88E2527334
2157D2429124AD28DB7A26F2477CB985
77CECF5E2A622AE07D8AE9913457AB57
E0C3BC27A65750E740C4F1719E531C7D
3D2B43F91F65BFBF36A9C71B6B418876
70FEF9FD6E351F4D53CFEEE8DCDFCD99
ACD31C9941B6C1CABD4E45E6877B9038
DD52F5108A176C62AD807C327734AD12
AC93A821617AEA1F56D4BC0BEF4AF327
11DBC8A2BEA04B15F8F68F3F01E8FAF9
|
File paths | %USERPROFILE%\.ssh\go.bat %PROGRAMDATA%\HDVideo\HDUtil.exe %PROGRAMDATA%\hwid.dat %PROGRAMDATA%\oko_ver %TEMP%\extl.exe %APPDATA%\hwid.dat |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "coffeesaloon.online" or url like "coffeesaloon.online" or siteurl like "coffeesaloon.online" or domainname like "kbeautyreviews.com" or url like "kbeautyreviews.com" or siteurl like "kbeautyreviews.com" or domainname like "recavb22.online" or url like "recavb22.online" or siteurl like "recavb22.online" or domainname like "livewallpapers.online" or url like "livewallpapers.online" or siteurl like "livewallpapers.online" or domainname like "thatwascringe.com" or url like "thatwascringe.com" or siteurl like "thatwascringe.com" or domainname like "2baserec2.guru" or url like "2baserec2.guru" or siteurl like "2baserec2.guru" or domainname like "moonsand.store" or url like "moonsand.store" or siteurl like "moonsand.store" |
Detection Query 2 : | dstipaddress IN ("104.243.43.16","104.243.32.213","62.210.188.209") or srcipaddress IN ("104.243.43.16","104.243.32.213","62.210.188.209") |
Detection Query 3 : | md5hash IN ("B07D451EE65A1580F20A784C8F0E7A46","187A1F68AE786E53D3831166DC84E6D2","D84E8DC509308523E0209D3CD3544619","83E6B8FCB92A0B13E109301F8FF649CF","7306885BB4C98F2A9F056104CF092BC9","B4C2E16CDB513BE4DC798F88E2527334","2157D2429124AD28DB7A26F2477CB985","77CECF5E2A622AE07D8AE9913457AB57","E0C3BC27A65750E740C4F1719E531C7D","3D2B43F91F65BFBF36A9C71B6B418876","70FEF9FD6E351F4D53CFEEE8DCDFCD99","ACD31C9941B6C1CABD4E45E6877B9038","DD52F5108A176C62AD807C327734AD12","AC93A821617AEA1F56D4BC0BEF4AF327","11DBC8A2BEA04B15F8F68F3F01E8FAF9")
|
Detection Query 4 : | datasourcename = "Windows Security" and eventtype = "4663" and objectname IN ("%USERPROFILE%\.ssh\go.bat","%PROGRAMDATA%\HDVideo\HDUtil.exe","%PROGRAMDATA%\hwid.dat","%PROGRAMDATA%\oko_ver","%TEMP%\extl.exe","%APPDATA%\hwid.dat") |
Detection Query 5 : | technologygroup = "EDR" and objectname IN ("%USERPROFILE%\.ssh\go.bat","%PROGRAMDATA%\HDVideo\HDUtil.exe","%PROGRAMDATA%\hwid.dat","%PROGRAMDATA%\oko_ver","%TEMP%\extl.exe","%APPDATA%\hwid.dat") |
Reference:
https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/