Kaspersky identifies malware framework targeting crypto investors
Kaspersky uncovered a new crypto-focused malware framework called OkoBot. It uses social engineering, including ClickFix-style prompts and trojanized GitHub apps, to get victims to run malicious code. Once installed, it can steal wallet files, browser data, credentials, and wallet-extension activity, and can inject malicious extensions or capture wallet app windows to drain funds. The framework appears to have evolved from the 2025 TookPS campaign and now uses an SSH tunnel to coordinate 20 payloads and move stolen data remotely. Separately, SlowMist reported fake LinkedIn recruiting campaigns targeting Web3 developers. Attackers pose as recruiters and send malicious GitHub repositories disguised as interview test projects. If run, the malware can install remote access trojans and steal project keys, cloud credentials, and wallet-related data.
