Thief — Oky

| Tactic | Technique ID | Description | |--------|--------------|-------------| | Initial Access | T1566.001 | Phishing: Spearphishing Attachment | | Execution | T1059.001 | PowerShell | | Persistence | T1547.001 | Registry Run Keys / Startup Folder | | Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | | Credential Access | T1555.003 | Credentials from Web Browsers | | Collection | T1115 | Clipboard Data | | Exfiltration | T1567.002 | Exfiltration to Webhook (Discord) |

Report ID: CTIR-2026-04-17-OKY Date of Publication: April 17, 2026 Classification: CONFIDENTIAL // THREAT INTEL Prepared For: Cybersecurity Incident Response Teams (CSIRTs), Threat Hunting Units, Security Operations Centers (SOCs) Threat Level (Estimated): MEDIUM to HIGH (conditional) 1. Executive Summary The term “Oky Thief” has surfaced in fragmented dark web forums, low-level cryptominer logs, and a handful of incident response tickets. It is not a globally recognized advanced persistent threat (APT) group nor a standardized malware family. However, its components suggest a modular information stealer likely distributed via phishing campaigns, fake software cracks, and malicious browser extensions. oky thief

This document is provided for cybersecurity defense purposes only. No actual malware samples are included. Indicators should be validated before blocking in production environments. | Tactic | Technique ID | Description |