Weekly Crypto Threats: USB Worm Targets Windows, Android Trojan Rokarolla, and Vulnerability in Beats Studio Buds

This week, the cyber threat landscape for the crypto community has been expanded with several dangerous attack vectors. From self-replicating worms to sophisticated Android trojans, attackers continue to refine their toolkit. Let's break down the key events in the field of crypto security.
USB Worm with Stealer Function: A New Threat for Cryptocurrency Owners
Microsoft specialists have revealed details of a campaign distributing self-replicating malware aimed at stealing digital assets. Infection occurs when opening a modified shortcut (.LNK) on a USB drive. Once activated, the worm stealthily downloads payloads from a command server in the .onion domain.
The infection mechanism is extremely insidious: the malware scans the system, hides the user's original documents, and replaces them with shortcuts bearing identical names. Each time the victim tries to open their file, the virus activates again. For self-propagation, the worm creates a scheduled task that monitors the connection of new USB drives and instantly copies itself onto them.
In its active phase, the stealer monitors the clipboard every half second, searching for 12- and 24-word BIP39 seed phrases, as well as wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it replaces them with the attacker's details, with the algorithm selecting wallets that have visually similar starting characters. Additionally, every ten seconds, five screenshots are taken. Indicators of infection include suspicious activity from wscript.exe and cscript.exe processes, as well as unauthorized connections to localhost:9050 (Tor's default port).
Android Trojan Rokarolla: Full Device Control
Zimperium researchers have discovered a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. The malware spreads through fake websites masquerading as installers for TikTok and Google Chrome. In the first stage, the victim is tricked into granting access to "Accessibility Services," after which the trojan disables Play Protect protection and deploys its full functionality.
Rokarolla uses fake HTML authorization pages to spoof legitimate crypto wallets and also mimics the Android lock screen to steal PIN codes. A built-in clipper replaces addresses in the clipboard, and to bypass 2FA, the trojan intercepts SMS. Moreover, by setting itself as the default app for calls, it can block incoming calls from bank anti-fraud systems.
Vulnerability in Beats Studio Buds: Eavesdropping Without Consent
Apple has released a firmware update for Beats Studio Buds, fixing the high-severity vulnerability CVE-2025-20701. The issue, found in the Bluetooth audio SDK from Airoha, allowed attackers within Bluetooth range to connect to the earbuds without authentication and activate the built-in microphone for spying.
The exploit also made it possible to read and overwrite the device's RAM and flash memory, as well as intercept trust relationships with previously paired smartphones. The vulnerability has been fixed in firmware version 1B211.
Other Events of the Week
- South Korean law enforcement arrested 23 suspects in a case involving the laundering of 11.1 million USDT for a Cambodian phishing organization. The scheme used 11,300 accounts, with the total amount of stolen funds reaching $17 million.
- The FBI warned of a new tactic by crypto scammers: they hire couriers to collect cash from victims whose bank transactions are blocked by security systems. In 2025, losses from such schemes in the US reached $8.6 billion.
- An outdated contract on the Aztec network was exploited for $2 million.
Expert Commentary: This week clearly demonstrates that cybercriminals are moving towards multi-vector attacks, combining social engineering with technically sophisticated methods. The USB worm is particularly alarming—its ability to self-replicate and masquerade as user files makes it extremely dangerous for the corporate sector. I recommend that all cryptocurrency owners immediately update their earbuds' firmware and carefully check the permissions granted to mobile applications.