Kaspersky uncovered a new malware framework targeting cryptocurrency investors, according to a Wednesday report. Dubbed OkoBot, the malware initiates infection chains through social engineering tactics such as ClickFix and trojanized GitHub apps that deliver backdoors to infected devices. Kaspersky identified multiple attacks involving this malware family since January 2026. The malware evolved from TookPS, a campaign first identified in 2025 that distributed a Trojan downloader through fake software websites. Separately, SlowMist reported Saturday that a malware campaign is targeting Web3 developers via fake LinkedIn recruitment opportunities, delivering remote access trojans through malicious GitHub repositories posed as technical interview materials.
OkoBot Framework Harvests Wallet Files Through SSH Tunnel Architecture
The OkoBot malware can harvest crypto wallet files, browser data and user credentials, inject malicious extensions and capture wallet application windows to steal assets, Kaspersky wrote in the report. The framework differs from prior campaigns by orchestrating all 20 malicious payloads via an SSH tunnel, which enables the remote transport of data from infected computers to remote machines controlled by attackers. Kaspersky added that the malware framework opens the door to copycat attacks.
Fake LinkedIn Recruiters Deliver Trojans via GitHub Repositories
Attackers contact blockchain developers via LinkedIn, posing as Web3 recruiters, according to SlowMist. They send fake GitHub repositories to victims, claiming they contained the minimum viable product that needed to be tried before the interview, the blockchain security company said in a Saturday report. The workflow closely resembles a legitimate technical interview where developers pull code, install dependencies and launch a project, which makes it difficult to notice the attack. The malware aims to deliver a complete remote access trojan that infects devices, enabling attackers to steal project keys, cloud credentials, or wallet extension data from these developers.
SlowMist Links Attack to Broader Developer-Targeting Campaign
SlowMist wrote that this attack is not an isolated case, adding that recent incidents illustrate that attackers are increasingly leveraging scenarios such as recruitment, code reviews and project collaborations to trick developers into actively running malicious repositories. The report came a day after SlowMist warned of a separate malware campaign targeting macOS users, aiming to steal their credentials and hijack their Telegram sessions to ultimately trick investors into entering their wallet recovery phrases through fake websites.
FAQ
What is OkoBot malware and when was it identified?
OkoBot is a malware framework targeting cryptocurrency investors that Kaspersky uncovered in a Wednesday report. Kaspersky identified multiple attacks involving this malware family since January 2026. The malware initiates infection chains through social engineering tactics such as ClickFix and trojanized GitHub apps.
How does the fake LinkedIn recruitment campaign target Web3 developers?
Attackers contact blockchain developers via LinkedIn, posing as Web3 recruiters, according to SlowMist's Saturday report. They send fake GitHub repositories to victims, claiming they contained the minimum viable product that needed to be tried before the interview. The workflow resembles a legitimate technical interview, making it difficult to notice the attack.
What data does OkoBot malware steal from infected devices?
The OkoBot malware can harvest crypto wallet files, browser data and user credentials, inject malicious extensions and capture wallet application windows to steal assets, according to Kaspersky. The framework orchestrates all 20 malicious payloads via an SSH tunnel, enabling remote transport of data from infected computers to attacker-controlled machines.