| Tactic | Technique ID | Description | |--------|--------------|-------------| | Initial Access | T1566.001 | Phishing: Spearphishing Attachment | | Execution | T1059.001 | PowerShell | | Persistence | T1547.001 | Registry Run Keys / Startup Folder | | Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | | Credential Access | T1555.003 | Credentials from Web Browsers | | Collection | T1115 | Clipboard Data | | Exfiltration | T1567.002 | Exfiltration to Webhook (Discord) |
This document is provided for cybersecurity defense purposes only. No actual malware samples are included. Indicators should be validated before blocking in production environments. oky thief
Report ID: CTIR-2026-04-17-OKY Date of Publication: April 17, 2026 Classification: CONFIDENTIAL // THREAT INTEL Prepared For: Cybersecurity Incident Response Teams (CSIRTs), Threat Hunting Units, Security Operations Centers (SOCs) Threat Level (Estimated): MEDIUM to HIGH (conditional) 1. Executive Summary The term “Oky Thief” has surfaced in fragmented dark web forums, low-level cryptominer logs, and a handful of incident response tickets. It is not a globally recognized advanced persistent threat (APT) group nor a standardized malware family. However, its components suggest a modular information stealer likely distributed via phishing campaigns, fake software cracks, and malicious browser extensions. | Tactic | Technique ID | Description |