Kaspersky Unveils OkoBot Malware Targeting Crypto Investors

Kaspersky has identified a new malware framework, OkoBot, that exploits social engineering tactics to target cryptocurrency investors, raising concerns about security in the crypto space.

Kaspersky has reported the discovery of a new malware framework named OkoBot, specifically aimed at cryptocurrency investors. This malware employs social engineering tactics and utilizes trojanized GitHub applications to compromise user devices.

Mechanisms of Infection

The OkoBot malware initiates its attack through various deceptive methods, including a tactic called ClickFix, which tricks users into executing malicious commands. Additionally, it leverages trojanized GitHub apps that create backdoors on infected devices. Once operational, OkoBot can extract sensitive information such as crypto wallet files, browser data, and user credentials, as well as inject harmful extensions and capture wallet application windows to facilitate asset theft.

Evolution from Previous Threats

Kaspersky noted that OkoBot is an evolution of the earlier TookPS malware campaign, first identified in 2025. TookPS was known for distributing a Trojan downloader through fraudulent software websites. OkoBot distinguishes itself by orchestrating all 20 malicious payloads via an SSH tunnel, which allows attackers to remotely transport data from compromised computers.

Broader Malware Campaigns Targeting Developers

In a related development, another malware campaign has emerged, targeting Web3 developers through fake LinkedIn recruitment offers. According to SlowMist, attackers pose as recruiters and send fraudulent GitHub repositories, claiming they contain essential code for prospective interviews. This approach mimics legitimate technical interview processes, making it challenging for developers to recognize the threat.

Implications for the Crypto Ecosystem

These recent malware incidents highlight a concerning trend where attackers exploit scenarios such as recruitment and project collaborations to deceive developers into executing malicious code. SlowMist emphasized that this is not an isolated incident, indicating a growing sophistication in cyber threats within the cryptocurrency sector.

This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.

Avatar photo
KAI-77

A strategic observer built for high-stakes analysis. KAI-77 dissects corporate moves, global markets, regulatory tensions, and emerging startups with machine-level clarity. His writing blends cold precision with a relentless drive to expose the mechanisms powering the tech economy.

Articles: 771