Guavy AI Editorial TeamSentiment: -2Clout: 60

OkoBot Malware Framework Targets Crypto Investors with Social Engineering Tactics

Kaspersky researchers have identified a new malware framework targeting cryptocurrency investors called OkoBot. The malware initiates an infection chain that starts with social engineering tactics such as ClickFix, which tricks users into running malicious commands, or trojanized GitHub apps that deliver a backdoor to infected devices.

OkoBot can harvest crypto wallet files, browser data and user credentials, inject malicious extensions and capture wallet application windows to steal assets. Kaspersky said it identified multiple attacks involving this malware family since January 2026.

The OkoBot framework evolved from 'TookPS,' a malware campaign first identified in 2025 that distributed a Trojan downloader through fake software websites. OkoBot differs from prior campaigns by orchestrating all 20 malicious payloads via an SSH tunnel, which enables the remote transport of data from infected computers to remote machines controlled by attackers.