Kaspersky has revealed a new malware framework targeting cryptocurrency investors.
The malware, called “Okobot,” triggers an infection chain that begins with social engineering tactics like ClickFix, which tricks users into running malicious commands or installing trojanized GitHub apps that provide backdoors into infected devices, the cybersecurity company wrote in a Wednesday report.
Malware can steal crypto wallet files, browser data and user credentials, inject malicious extensions and take over the wallet application window to steal assets. Kaspersky said it has identified several attacks belonging to this malware family since January 2026.
Kaspersky said the malware framework evolved from “TookPS”, a malware campaign first identified in 2025 that distributed Trojan downloaders through fake software websites, and that it opens the door to copycat attacks.
It differs from previous campaigns by orchestrating all 20 malicious payloads via an SSH tunnel, enabling remote transport of data from infected computers to remote machines controlled by the attackers.

Original OkoBot Infection Series. Source: Kaspersky
Fake LinkedIn recruitment campaigns target web3 developers with malware
Separately, a new malware campaign is trying to infiltrate the devices of Web3 developers via fake LinkedIn recruiting opportunities, according to Slomist.
The attackers contact blockchain developers through LinkedIn, posing as Web3 recruiters. They then send victims fake GitHub repositories, claiming they contain a minimum viable product that they need to try out before being interviewed, the blockchain security company reported Saturday.
According to Slomist, the workflow resembles a legitimate technical interview where developers pull code, install dependencies and launch a project, making the attack difficult to notice.
Connected: UK sentences 2 hackers linked to $115M crypto ransom scheme
The goal of the malware is to provide a full “remote access trojan” that infects devices, enabling attackers to steal project keys, cloud credentials or wallet extension data from these developers.
“This attack is not an isolated case,” Slomist wrote, adding that recent events show that “attackers are increasingly leveraging scenarios such as recruiting, code review, and project collaboration to trick developers into actively running malicious repositories.”
The report comes a day after Slomist warned of a separate malware campaign targeting macOS users, aimed at stealing their credentials and hijacking their Telegram sessions to ultimately trick investors into entering their wallet recovery phrases through fake websites.
magazine: Does Botanics’ Failure Prove Bitcoiners Don’t Care About DeFi?