THE article discusses the OkoBot malware framework, which targets cryptocurrency users by utilizing a complex infection chain that consists of various malicious payloads delivered through SSH tunnels. Initially identified in January 2026, it activates via the TookPS script to deploy multiple modules for data exfiltration and unauthorized access. The framework is characterized by its multi-stage attacks, including initial infections through malicious software masquerading as legitimate applications.
Key modules include a browser extensions loader that installs hidden malicious extensions and plugins capable of stealing sensitive data. As of the report, the campaign targets victims in over 25 countries, primarily focusing on financial information related to cryptocurrencies. The framework remains active and continues to evolve, employing sophisticated evasion and persistence techniques.