securelist.com 7/15/2026, 10:04:15 AM · external

OkoBot Malware Uses SSH Tunnels to Steal Crypto Data Worldwide

OkoBot Malware Uses SSH Tunnels to Steal Crypto Data Worldwide
CyberSIXT Evidence Panel Source marked as original reporting

THE article discusses the OkoBot malware framework, which targets cryptocurrency users by utilizing a complex infection chain that consists of various malicious payloads delivered through SSH tunnels. Initially identified in January 2026, it activates via the TookPS script to deploy multiple modules for data exfiltration and unauthorized access. The framework is characterized by its multi-stage attacks, including initial infections through malicious software masquerading as legitimate applications.

Key modules include a browser extensions loader that installs hidden malicious extensions and plugins capable of stealing sensitive data. As of the report, the campaign targets victims in over 25 countries, primarily focusing on financial information related to cryptocurrencies. The framework remains active and continues to evolve, employing sophisticated evasion and persistence techniques.

View full article

Article by CyberSIXT