Kaspersky Uncovers Malware Framework Targeting Crypto Investors
Kaspersky identifies a malware framework targeting cryptocurrency investors through social engineering tactics and trojanized GitHub apps.
Intelligence analysis by Llama

Kaspersky has uncovered a malware framework targeting cryptocurrency investors. The malware initiates an infection chain that starts with social engineering tactics and trojanized GitHub apps.
Imagine someone trying to trick you into installing a bad app on your computer. This malware framework is like a sneaky way for hackers to get into your computer and steal your money.
Analysis
A New Malware Framework Emerges
Kaspersky has identified a new malware framework targeting cryptocurrency investors. Dubbed "OkoBot," the malware initiates an infection chain that starts with social engineering tactics such as ClickFix, which tricks users into running malicious commands, or trojanized GitHub apps that deliver a backdoor to infected devices. The malware can harvest crypto wallet files, browser data, and user credentials, inject malicious extensions, and capture wallet application windows to steal assets.
Evolution of Malware Campaigns
Kaspersky added that the malware framework evolved from "TookPS," a malware campaign first identified in 2025 that distributed a Trojan downloader through fake software websites. This new malware framework differs from prior campaigns by orchestrating all 20 malicious payloads via an SSH tunnel, which enables the remote transport of data from infected computers to remote machines controlled by attackers.
Implications for Crypto Investors
The discovery of this malware framework highlights the need for increased security measures to protect against social engineering tactics and trojanized apps. Crypto investors should be cautious when interacting with unfamiliar apps or websites, and ensure that their devices and wallets are properly secured.
Key points
- Kaspersky has identified a new malware framework targeting cryptocurrency investors.
- The malware initiates an infection chain that starts with social engineering tactics and trojanized GitHub apps.
- The malware can harvest crypto wallet files, browser data, and user credentials, inject malicious extensions, and capture wallet application windows to steal assets.
- The malware framework evolved from "TookPS," a malware campaign first identified in 2025.
- The new malware framework differs from prior campaigns by orchestrating all 20 malicious payloads via an SSH tunnel.
If this malware framework is identified and stopped, it could prevent many crypto investors from losing their money to these types of attacks.
If the malware framework is not stopped, it could lead to a significant increase in crypto investor losses, potentially causing a ripple effect throughout the crypto market.



