News · News

Kaspersky Flags New Crypto-Targeting Malware Framework Using TookPS and OkoSpyware via Trojanized GitHub Apps

Kaspersky has identified a two-component malware framework using TookPS to steal crypto seed phrases and OkoSpyware to surveil Chromium browsers via trojanized GitHub apps.

Kaspersky Flags New Crypto-Targeting Malware Framework Using TookPS and OkoSpyware via Trojanized GitHub Apps

Kaspersky has a name for the latest malware framework going after crypto investors’ seed phrases — and it’s nastier than most. The firm identified a two-component toolkit that deploys TookPS to exfiltrate seed phrases from victims’ wallets while bundling a fresh surveillance module, OkoSpyware, purpose-built to monitor activity inside Chrome, Brave, Edge, and anything else running on Chromium, according to a Kaspersky press release.

B
Bitcoin
BTC
View coin →
$64,777.00 1.32%
Market cap · $1.3T

The entry point is social engineering — always. Victims get nudged into downloading what look like legitimate applications hosted on GitHub repositories that have been trojanized, meaning the code is modified to carry a malicious payload while still behaving enough like the real software that nothing immediately feels wrong. Kaspersky calls the framework “sophisticated,” and the label earns its keep here: multi-stage delivery, active evasion, well past the threshold of a dumb one-click infection. TookPS goes hunting for seed phrases once it’s installed. OkoSpyware fans out from there, watching what users do inside those browsers — credentials, session tokens, browsing patterns, anything that opens a second door.

Seed phrase theft is the critical threat here. A stolen password is recoverable; a stolen seed phrase is not — it hands attackers complete, permanent control of a wallet with no two-factor prompt to trip over and no reset flow to trigger. Funds are typically gone before the victim notices a single unauthorized transaction. That’s what makes TookPS and OkoSpyware genuinely dangerous as a pair: one module drains the vault, the other maps the surrounding terrain for whatever target comes next.

This framework is distinct from — and newer than — Kaspersky’s previously reported GitVenom campaign, which also weaponized infected GitHub repositories against gamers and crypto investors. The pattern, at this point, is hard to call coincidental. Back in August 2024, Kaspersky disclosed a campaign called “Tusk,” which leaned on popular web3 and cryptocurrency topics as lures to distribute malware targeting crypto users. Tusk, then GitVenom, now this — the progression maps a deliberate and escalating focus on the same demographic: investors technically engaged enough to pull tools from GitHub but not always cautious enough to check whether what they’re installing has been tampered with.

The timing drops into a market where exposure may be heightened. Total crypto market cap sits at $2,275.95 billion. The Fear & Greed Index reads 25/100 — Extreme Fear. BBTC$64,777.001.32% trades at $64,054, up 1.37% over the past 24 hours, with a dominance of 56.5%, which makes BTC wallets a prime target for seed-phrase-stealing malware; when sentiment is this depressed, investors chasing recovery or yield are measurably more susceptible to whatever a trojanized app is promising — a dynamic threat actors understand and calibrate for.

The wider picture isn’t quieter. SlowMist recently flagged MacSync Stealer, a strain that hijacks Telegram sessions and drains crypto wallets on macOS; Kaspersky separately identified SparkKitty spyware sitting in both Google Play and the App Store, also linked to wallet targeting. Mobile and desktop attack surfaces are both live. The throughline across every one of these campaigns is social engineering — attackers are not cracking cryptography, they are persuading users to hand over the keys themselves.

One caveat worth naming. Kaspersky has a commercial interest in publicizing threats — it sells the endpoint protection products that detect them — and press releases describing sophisticated malware frameworks serve a dual purpose: public warning and product advertisement, simultaneously. That doesn’t undercut the technical findings, but it’s context. The CoinTelegraph coverage of the disclosure largely tracks Kaspersky’s framing without independent verification of the framework’s actual prevalence or victim count.

For investors, the practical guidance is narrow and not particularly glamorous. Verify the provenance of any application pulled from GitHub — especially anything promising wallet management, trading tools, or web3 integrations. Store seed phrases offline, entirely out of reach of any browser or application a piece of malware could touch. Treat any unsolicited recommendation to download a tool, however credible the source appears, as a potential social-engineering vector until it’s proven otherwise. Kaspersky has not disclosed when it expects to publish a follow-up technical report on the framework, but given the trajectory from Tusk through GitVenom to OkoSpyware, additional variants aimed at the same demographic are the likelier outcome than any quiet retirement of the campaign.

Nadia Rahman

Nadia Rahman

Markets Editor · 9 years covering crypto · Author page

Nadia Rahman is CoinScoop's Markets Editor. She covers Bitcoin, macro liquidity and the spot-ETF complex, and previously reported on rates and FX for a global newswire.

Disclosure: This article is independent journalism and is for information only — it is not financial advice. CoinScoop is reader-supported and may earn a commission from some links. Read our disclosure policy →