Kaspersky has discovered a new malware framework targeting cryptocurrency investors.
Dubbed “OkoBot,” the malware initiates an infection chain that begins with social engineering tactics such as ClickFix, which tricks users into executing malicious commands, or trojanized GitHub apps that provide a backdoor to infected devices, the cybersecurity company wrote in a statement Wednesday. report.
The malware can harvest crypto wallet files, browser data and user credentials, inject malicious extensions and capture wallet application windows to steal assets. Kaspersky said it has identified several attacks involving this malware family since January 2026.
Kaspersky added that the malware framework evolved from “TookPS,” a malware campaign first identified in 2025 that distributed a Trojan downloader through fake software websites, and opened the door to copycat attacks.
It differs from previous campaigns by orchestrating the 20 malicious payloads through an SSH tunnel, which allows remote transport of data from infected computers to remote machines controlled by attackers.

Original OkoBot infection chain. Source: Kaspersky
Fake LinkedIn recruiting campaigns target Web3 developers with malware
Separately, according to SlowMist, a new malware campaign seeks to infiltrate the devices of Web3 developers via fake recruiting opportunities on LinkedIn.
Attackers contact blockchain developers via LinkedIn, posing as Web3 recruiters. They then send fake GitHub repositories to victims, claiming they contained the minimum viable product that needed to be tried before the interview, the blockchain security company said Saturday. report.
The workflow closely resembles a legitimate technical interview in which developers pull code, install dependencies, and launch a project, making it difficult to detect the attack, according to SlowMist.
Related: UK sentences 2 hackers linked to $115 million crypto ransom scheme
The malware aims to deliver a full-featured “remote access Trojan” that infects devices, allowing attackers to steal project keys, cloud credentials or wallet expansion data from these developers.
“This attack is not an isolated case,” SlowMist wrote, adding that recent incidents illustrate that “attackers are increasingly exploiting scenarios such as recruiting, code reviews, and project collaboration to trick developers into actively running malicious repositories.”
The report came a day after SlowMist warned of a targeting a malware campaign macOS users, with the aim of stealing their credentials and hijacking their Telegram sessions to ultimately trick investors into entering their wallet recovery phrases through fake websites.
Review: Does Botanix’s Failure Prove Bitcoiners Don’t Care About DeFi?
