Kaspersky has discovered a fresh malware platform targeting cryptocurrency investors.
The malware, dubbed “OkoBot,” initiates a chain of infections that begins with social engineering tactics such as ClickFix, which tricks users into running malicious commands, or trojanized GitHub applications that provide backdoors to infected devices, the cybersecurity firm wrote on Wednesday. report.
The malware can collect crypto wallet files, browser data, and user credentials, inject malicious extensions, and hijack wallet application windows to steal resources. Kaspersky said it has identified multiple attacks involving this malware family since January 2026.
Kaspersky added that the malware platform evolved from “TookPS,” a malware campaign first identified in 2025 that distributed a Trojan downloader via spoof websites, and that it opens the door to copycat attacks.
It differs from previous campaigns in that it orchestrates all 20 malicious payloads via an SSH tunnel, which allows data to be remotely transported from infected computers to remote machines controlled by the attackers.
Original OkoBot infection chain. Source: Kaspersky
Fake LinkedIn recruitment campaigns target Web3 developers with malware
According to SlowMist, a fresh malware campaign aims to infiltrate Web3 developers’ devices through phony LinkedIn recruiting opportunities.
Attackers contact blockchain developers via LinkedIn, posing as Web3 recruiters. They then send victims phony GitHub repositories, claiming they contain a minimum viable product that must be tried before a job interview, a blockchain security company said Saturday. report.
The workflow closely resembles a legitimate technical call, with developers downloading code, installing dependencies and running the project, which SlowMist says makes it harder to spot an attack.
Related: UK Convicts 2 Hackers Linked to $115 Million Crypto Ransom Scheme
The malware aims to deliver a complete “remote access Trojan” that infects devices, allowing attackers to steal project keys, cloud credentials, or wallet extension data from these developers.
“This attack is not an isolated incident,” SlowMist wrote, adding that recent incidents show that “attackers are increasingly using scenarios such as recruitment, code reviews, and project collaboration to trick developers into actively running malicious repositories.”
The report comes a day after SlowMist warned of a separate malware campaign targeting macOS users that aimed to steal their credentials and hijack their Telegram sessions, ultimately tricking investors into entering wallet recovery phrases via phony websites.
Warehouse: Does the Botanix failure prove that Bitcoiners don’t care about DeFi?
