Key facts
- Kaspersky has identified a new malware framework named OkoBot targeting cryptocurrency investors.
- OkoBot initiates infections through social engineering tactics like ClickFix or trojanized GitHub apps.
- The malware is capable of harvesting crypto wallet files, browser data, and user credentials.
- It can also inject malicious extensions and capture wallet application windows to steal assets.
- OkoBot evolved from the 'TookPS' malware campaign, first identified in 2025.
- A separate campaign targets Web3 developers via fake LinkedIn recruitment using malicious GitHub repositories.
Kaspersky has identified a new malware framework, dubbed OkoBot, that is specifically targeting cryptocurrency investors. The malware employs social engineering tactics, such as the ClickFix tool or trojanized GitHub applications, to initiate its infection chain. Once a device is compromised, OkoBot can harvest sensitive information including crypto wallet files, browser data, and user credentials. It also has the capability to inject malicious browser extensions and capture wallet application windows to facilitate asset theft.
Kaspersky noted that this malware family has been observed in multiple attacks since January 2026. The framework is an evolution of 'TookPS,' a malware campaign first identified in 2025 that distributed a Trojan downloader via fake software websites. OkoBot's distinct feature is its orchestration of all 20 malicious payloads through an SSH tunnel, enabling attackers to remotely transport stolen data.
In a separate development, a new malware campaign is targeting Web3 developers through deceptive LinkedIn recruitment efforts, according to SlowMist. Attackers pose as recruiters and send fake GitHub repositories, presenting them as essential pre-interview tasks. This tactic closely mimics legitimate developer workflows, making it difficult to detect. The malware aims to deliver a remote access trojan to steal project keys, cloud credentials, or wallet extension data from these developers. SlowMist highlighted that attackers are increasingly exploiting scenarios like recruitment and collaboration to trick developers into running malicious code.