Crypto news

20.06.2026
04:30

Cyber Threats of the Week: USB Worm for Stealing Cryptocurrencies, Rokarolla Trojan, and Vulnerability in Beats Studio Buds

security_new1

This week, the cyber threat landscape has been enriched with a number of dangerous discoveries targeting the crypto community. From self-propagating worms to sophisticated Android trojans, attackers continue to refine their methods, exploiting both technical vulnerabilities and social engineering techniques.

USB Worm: A Hidden Threat on Your Flash Drive

Microsoft analysts have identified a campaign distributing a self-replicating malware targeting cryptocurrency holders. The infection mechanism is activated when a modified shortcut file (.LNK) is opened on a USB drive. After that, the worm establishes a connection with a command server located in the .onion domain zone and begins scanning the local system.

Upon detecting user documents, the malware hides the originals and replaces them with malicious shortcuts bearing identical names. Thus, the program is activated every time the victim tries to open their work files. For self-propagation, the worm creates a scheduled task that copies it to any new USB disk connected to the computer.

Cryptocurrency theft occurs through clipboard hijacking. The malware monitors copied data for 12- and 24-word BIP39 seed phrases, as well as wallet addresses for Bitcoin, Ethereum, Tron, and Monero. When a target address is detected, it instantly replaces it with the attacker's details. To deceive the victim, the algorithm selects wallets whose initial characters visually match the originals.

The main indicator of infection is anomalous background activity of wscript.exe and cscript.exe processes, as well as unauthorized connections to localhost:9050 (the standard Tor port).

Rokarolla: A New Android Trojan with Full Control

Zimperium researchers have discovered the Rokarolla trojan, whose arsenal includes 137 remote commands. The malware spreads through fake websites masquerading as installers for TikTok and Google Chrome. After downloading, it mimics the Google Play Protect system component and, using social engineering, forces the victim to grant access to "Accessibility Services."

Once permission is obtained, the trojan disables the real Play Protect scanner and deploys its full functionality. It intercepts PIN codes, reads SMS messages, and manipulates the clipboard to steal cryptocurrencies. A separate overlay mimics the standard Android lock screen, allowing the theft of a password or pattern key. To bypass two-factor authentication, Rokarolla intercepts one-time banking codes and can block incoming calls from anti-fraud systems.

Apple Closes Dangerous Vulnerability in Beats Studio Buds

Apple has released a firmware update for its Beats Studio Buds wireless headphones, fixing the vulnerability CVE-2025-20701. The issue, discovered by SentinelOne experts, allowed attackers within Bluetooth range to remotely connect to the device and use its built-in microphone for espionage.

The flaw is related to incorrect authorization in the Bluetooth audio SDK from chip developer Airoha. The exploit can be activated via standard Bluetooth or the BLE protocol without any authentication. In addition to eavesdropping, the attack provided nearly complete control over the device, including the ability to read and overwrite memory, as well as intercept trust relationships with previously paired smartphones.

Expert Opinion: This week once again demonstrates that cybercriminals are actively adapting to new realities. USB worms, which once seemed like relics of the past, are becoming relevant again due to their ability to bypass cloud security systems. Of particular concern is the use of sophisticated social engineering methods by attackers, such as fake reputations on GitHub and YouTube. Cryptocurrency owners should exercise maximum caution: do not connect unfamiliar USB drives, carefully check permissions for apps on Android, and promptly update firmware on all devices, including headphones.