- Kaspersky said OkoBot targets cryptocurrency investors through social engineering and trojanized GitHub applications.
- The malware can collect wallet files, browser data and user credentials while capturing wallet application windows.
- SlowMist reported separate attacks involving fake recruitment messages, malicious repositories and malware aimed at macOS users.
Kaspersky said a newly identified crypto malware framework is targeting cryptocurrency investors through social engineering and trojanized GitHub applications. The cybersecurity company identified the framework as OkoBot and said its infection chain can begin with ClickFix tactics that persuade users to run malicious commands or with fake applications hosted on GitHub that install a backdoor. Once a device is compromised, the malware can collect wallet files, browser data and login credentials. Kaspersky also said it can inject malicious browser extensions and capture wallet application windows. The company has identified multiple attacks involving the malware family since January 2026 and linked it to an earlier campaign known as TookPS.
Kaspersky tracks crypto malware aimed at investors
Kaspersky described OkoBot as a framework built to reach cryptocurrency investors through familiar online actions rather than through an obvious request to transfer funds. One infection method uses ClickFix, a social engineering tactic that convinces victims to copy or run commands on their own devices. Another relies on trojanized GitHub applications that appear legitimate but install a backdoor after they are downloaded and opened. According to the report, the crypto malware can gather several types of sensitive information from an infected system. Its targets include cryptocurrency wallet files, browser information and user credentials. Kaspersky also said the framework can inject malicious extensions into browsers and capture windows belonging to wallet applications, creating several possible routes for attackers to access accounts or digital assets.
How crypto malware evolved from TookPS
Kaspersky said OkoBot evolved from TookPS, a campaign the company first identified in 2025. In that earlier activity, attackers used fake software websites to distribute a Trojan downloader. The connection indicates that OkoBot developed from an established delivery method instead of appearing as a completely separate operation with no known background. The newer framework is more coordinated than the earlier campaign. Kaspersky said OkoBot manages 20 malicious payloads through an SSH tunnel, which allows information taken from infected computers to be transferred to remote machines controlled by attackers. The company also warned that the structure could support copycat operations because other attackers may attempt to reproduce or adapt the same approach.
Crypto malware risks spread to Web3 developers
In a separate report, SlowMist described another crypto malware campaign aimed at Web3 developers through fake LinkedIn recruitment messages. Attackers allegedly approach blockchain developers while pretending to represent employers or recruitment teams. By starting the conversation in a professional setting, they can reduce suspicion and make later requests to download code or test a project appear connected to a genuine job opportunity. SlowMist said the attackers then send fake GitHub repositories and claim that the code contains a minimum viable product that must be reviewed before an interview. The process resembles a normal technical hiring task in which a developer pulls a repository, installs dependencies and launches the project locally. That familiar workflow makes the attack harder to identify because the victim may believe that running the code is simply part of the recruitment process rather than the beginning of a malware infection.
Warnings extend beyond one campaign
SlowMist said the developer-focused operation is intended to install a full remote access trojan on the victim’s device. Such access could allow attackers to obtain project keys, cloud credentials or data stored by wallet extensions. The potential impact therefore extends beyond individual investors and may also affect development teams, infrastructure providers or blockchain projects whose employees handle sensitive technical credentials. The firm said the campaign was not an isolated case. Recent incidents, according to SlowMist, show attackers using recruitment conversations, code reviews and proposed project collaborations to persuade targets to run malicious repositories. SlowMist had also warned a day earlier about malware aimed at macOS users that could steal credentials and hijack Telegram sessions before directing investors to fake websites designed to collect wallet recovery phrases.
Conclusion
The reports from Kaspersky and SlowMist point to a wider pattern in which crypto malware is delivered through activities that appear routine or professionally relevant. Kaspersky said OkoBot reaches investors through ClickFix social engineering and trojanized GitHub applications, while SlowMist described separate operations involving fake recruiters, malicious repositories and attacks on macOS users. Across the reported cases, attackers attempt to make harmful code look like part of a normal task, such as installing software, testing a project or responding to a job opportunity. The findings show that both investors and Web3 developers can be targeted through several entry points, with GitHub, LinkedIn and familiar work processes used to build trust before infection.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI

