Kaspersky has recently released their finding about a malware framework called
OkoBot. It is said that this malware has been running since April 2025. And one of it's modules is build and targets hardware wallet owners to type their recovery phase.

And this module is called
SeedHunter. So once you installed and your device is infected, it watches for the following hardware wallet:
- Trezor Suite
- Ledger Wallet
- Ledger Live
It even has the capability to wait, as it scans for USB by vendor and product ID (very smart), then wait for the real hardware to be plug in your computer.

So this threat is really very dangerous as it targets specific device which is the hardware wallet.
As for the victims it is reported to be:

I also urged to read the report, it's very complicated as I only touch the ones that is important.
https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/