A new malware framework targeting cryptocurrency investors' wallet files and account information has been identified. Cointelegraph reported on July 18 that cybersecurity firm Kaspersky discovered malware called Okobot that is spread using social engineering techniques and trojanised GitHub apps.
The company said Okobot uses tactics such as “ClickFix” in the early stages of infection to induce users to execute malicious commands themselves. It also installs a backdoor through a GitHub app disguised as legitimate software. Kaspersky said it confirmed cases in which the malware family has been used in multiple attacks since January 2026.
The malware can collect cryptocurrency wallet files, browser data and user credentials. It also has functions to attempt asset theft by injecting malicious extensions or capturing wallet application windows.
The attack aims to infect devices by planting a remote access trojan. Attackers can use this to steal project keys, cloud credentials and wallet extension data.
Kaspersky said Okobot is an evolved form of the TookPS malware campaign first identified in 2025. At the time, TookPS distributed a trojan downloader through fake software sites.