Kaspersky has identified a new malware framework called “OkoBot” that is specifically targeting cryptocurrency investors, the cybersecurity firm revealed in a report published on Wednesday.
Malware evolves to target wallets and credentials
According to Kaspersky, OkoBot starts its infection process using social engineering strategies, such as deploying ClickFix tactics that mislead users into running malicious commands. The malware can also be delivered through trojanized GitHub applications, which infect devices with a backdoor designed to steal sensitive information.
Once installed, OkoBot can extract crypto wallet files, browser data, and user account credentials. The framework is also capable of injecting harmful browser extensions and capturing wallet application windows, giving attackers the means to steal digital assets.
Kaspersky reported multiple detected attacks involving the OkoBot family since January 2026. The company observed that OkoBot is an evolution of a previous malware campaign known as “TookPS,” first identified in 2025, which used fake software websites to distribute Trojan downloaders. By expanding on these tactics, OkoBot provides an entry point for potential copycat operations.
A notable feature of OkoBot is its orchestration of 20 separate malicious payloads through an SSH tunnel. This approach allows attackers to conduct remote data transfers from infected systems directly to external machines under their control, streamlining the theft of user information and digital assets.
Mini dictionary: SSH tunnel – A secure network protocol that enables encrypted connections between devices, often used by attackers in cyber intrusions to transfer data covertly between infected systems and command-and-control servers.
Kaspersky highlighted that the OkoBot campaign delivers all its malicious payloads via an SSH tunnel, giving attackers direct access to harvest sensitive crypto data from compromised systems.
Fake Web3 job offers and developer-targeted malware
In a separate development, blockchain security company SlowMist has warned Web3 developers about a sophisticated new threat emerging through fraudulent LinkedIn recruitment campaigns.
Attackers impersonate Web3 recruiters on LinkedIn and contact blockchain developers with offers of job opportunities. They follow up by providing links to fake GitHub repositories, claiming these contain a minimum viable product needed for a technical interview. This tactic mirrors authentic interview workflows, leading developers to download, install, and execute harmful code without suspicion.
The malicious files are designed to deliver a remote access trojan, giving bad actors complete control over infected devices. With access, attackers can steal project keys, cloud service credentials, and crypto wallet extension data.
SlowMist stated that these campaigns are becoming increasingly common, with attackers using multiple professional scenarios such as recruitment, code reviews, and collaborative projects to trick developers into activating malicious repositories.
According to SlowMist, attackers now “leverage scenarios such as recruitment, code reviews, and project collaborations to trick developers into actively running malicious repositories,” making the attacks challenging to detect.
Just a day prior to its Saturday report, SlowMist warned about a related malware campaign targeting macOS users, which aims to steal user credentials and hijack Telegram sessions. These attacks ultimately direct victims to fraudulent websites where they are prompted to input wallet recovery phrases, placing investor funds at risk.
Mini dictionary: SlowMist – A blockchain security firm specializing in blockchain ecosystem audits, threat monitoring, and vulnerability detection for Web3 projects.




