Kaspersky Uncovers OkoBot Malware Framework Targeting Crypto Investors

Kaspersky uncovered a new malware framework targeting cryptocurrency investors in a Wednesday report. Dubbed OkoBot, the malware initiates an infection chain through social engineering tactics such as ClickFix, which tricks users into running malicious commands, or trojanized GitHub apps that deliver a backdoor to infected devices. Kaspersky identified multiple attacks involving this malware family since January 2026. The malware can harvest crypto wallet files, browser data and user credentials, inject malicious extensions and capture wallet application windows to steal assets. The malware framework evolved from TookPS, a malware campaign first identified in 2025 that distributed a Trojan downloader through fake software websites.

OkoBot Framework Operates Through SSH Tunnel Architecture

OkoBot differs from prior campaigns by orchestrating all 20 malicious payloads via an SSH tunnel, which enables the remote transport of data from infected computers to remote machines controlled by attackers. Kaspersky added that the framework opens the door to copycat attacks.

Original OkoBot infection chain. Source: Kaspersky

Fake LinkedIn Campaigns Target Web3 Developers via Malicious GitHub Repositories

A separate malware campaign seeks to infiltrate the devices of Web3 developers via fake LinkedIn recruitment opportunities, according to SlowMist. Attackers contact blockchain developers via LinkedIn, posing as Web3 recruiters, the blockchain security company said in a Saturday report. They then send fake GitHub repositories to victims, claiming they contained the minimum viable product that needed to be tried before the interview.

The workflow closely resembles a legitimate technical interview where developers pull code, install dependencies and launch a project, which makes it difficult to notice the attack, according to SlowMist. The malware aims to deliver a complete remote access trojan that infects devices, enabling attackers to steal project keys, cloud credentials, or wallet extension data from these developers.

SlowMist wrote that this attack is not an isolated case, adding that recent incidents illustrate that attackers are increasingly leveraging scenarios such as recruitment, code reviews and project collaborations to trick developers into actively running malicious repositories. The report came a day after SlowMist warned of a separate malware campaign targeting macOS users, aiming to steal their credentials and hijack their Telegram sessions to ultimately trick investors into entering their wallet recovery phrases through fake websites.

FAQ

What is OkoBot malware and when was it discovered?

OkoBot is a malware framework targeting cryptocurrency investors that Kaspersky uncovered in a Wednesday report. Kaspersky identified multiple attacks involving this malware family since January 2026. The malware initiates infection through social engineering tactics such as ClickFix or trojanized GitHub apps and can harvest crypto wallet files, browser data, user credentials, inject malicious extensions and capture wallet application windows.

How do fake LinkedIn recruitment campaigns target Web3 developers?

Attackers contact blockchain developers via LinkedIn, posing as Web3 recruiters, according to SlowMist's Saturday report. They send fake GitHub repositories to victims, claiming they contain a minimum viable product that needs to be tried before the interview. The workflow resembles a legitimate technical interview where developers pull code, install dependencies and launch a project, making it difficult to notice the attack. The malware delivers a remote access trojan that steals project keys, cloud credentials, or wallet extension data.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments