New Malware Framework Targeting Cryptocurrency Investors Discovered by Kaspersky

New Malware Framework Targeting Cryptocurrency Investors Discovered by Kaspersky

A recently discovered malware framework is being used to attack cryptocurrency investors using social engineering methods and compromised GitHub applications, according to cybersecurity firm Kaspersky.

A novel malware framework designed to attack cryptocurrency investors has been discovered by Kaspersky.

The malware, which has been named "OkoBot," launches an infection sequence beginning with social engineering methods like ClickFix, a technique that deceives users into executing harmful commands, or compromised GitHub applications that install a backdoor onto targeted devices, according to a Wednesday report published by the cybersecurity firm.

The malicious software has the capability to extract crypto wallet files, browser information and user login credentials, install harmful extensions and capture wallet application windows for the purpose of stealing digital assets. According to Kaspersky, several attacks utilizing this malware family have been detected since January 2026.

The cybersecurity company noted that the malware framework represents an evolution of "TookPS," a malware campaign originally discovered in 2025 that spread a Trojan downloader using fraudulent software websites, and that it creates opportunities for similar copycat attacks.

What sets it apart from previous campaigns is its coordination of all 20 malicious payloads through an SSH tunnel, which facilitates the remote transmission of data from compromised computers to remote machines under attacker control.

OkoBot infection chain diagram
The original OkoBot infection chain. Source: Kaspersky

Web3 developers targeted through fake LinkedIn recruitment campaigns distributing malware

In a separate incident, a newly identified malware campaign is attempting to compromise the devices of Web3 developers through fraudulent LinkedIn job recruitment opportunities, as reported by SlowMist.

Cybercriminals reach out to blockchain developers on LinkedIn, presenting themselves as Web3 recruiters. Subsequently, they transmit fraudulent GitHub repositories to their targets, alleging that these repositories contain the minimum viable product that must be tested prior to the interview, as detailed in a Saturday report from the blockchain security firm.

The process bears a strong resemblance to an authentic technical interview where developers retrieve code, add dependencies and execute a project, making the attack challenging to detect, SlowMist explained.

The objective of the malware is to deploy a comprehensive "remote access trojan" that compromises devices, allowing attackers to extract project keys, cloud credentials, or wallet extension data from the targeted developers.

This attack is not an isolated case. Attackers are increasingly leveraging scenarios such as recruitment, code reviews and project collaborations to trick developers into actively running malicious repositories.

SlowMist

The findings were released one day after SlowMist issued a warning about a different malware campaign directed at macOS users, designed to capture their credentials and take over their Telegram sessions with the ultimate goal of deceiving investors into providing their wallet recovery phrases via fraudulent websites.