Cyber threats of the week: USB worm for stealing cryptocurrencies, dangerous vulnerability in Beats Studio Buds, and a new tactic of "pig butchers"

This week, the cyber threat landscape for digital asset holders has been marked by several dangerous incidents. From a self-propagating worm hiding in USB drives to sophisticated social engineering schemes, attackers continue to refine their methods. Let's break down the key events.
USB Worm with "Worm" Functionality: A New Attack Vector for Crypto Wallets
Particularly noteworthy is a campaign uncovered by Microsoft experts. This involves malware that spreads via USB drives, masquerading as ordinary files. Upon infecting a system, the worm scans the user's documents, hides them, and replaces them with malicious shortcuts (.LNK). When a user attempts to open a file, a program is activated that monitors the clipboard. As soon as the victim copies a cryptocurrency wallet address, the malware instantly replaces it with the attacker's address.
The unique feature of this worm is its ability to self-propagate. It creates a task in the Windows Task Scheduler that monitors the connection of new USB drives and copies itself onto them. It uses the Tor network to communicate with its command-and-control server, making detection particularly difficult. In addition to stealing addresses, the malware takes screenshots every ten seconds. The most obvious signs of infection are suspicious activity from wscript.exe and cscript.exe processes, as well as unexpected connections to localhost:9050.
Apple Patches Dangerous Vulnerability in Beats Studio Buds
Apple has released a firmware update for its Beats Studio Buds headphones, fixing a critical vulnerability CVE-2025-20701. The issue, discovered by SentinelOne specialists, allowed an attacker within Bluetooth range to connect to the headphones without the owner's knowledge. Once access was gained, the hacker could activate the built-in microphone to eavesdrop on conversations, as well as read and overwrite the device's memory.
The vulnerability affects devices that have not yet been paired and are in discovery mode. The exploit requires no authentication and can be executed via standard Bluetooth or BLE. Firmware update version 1B211 completely eliminates this threat. This serves as a reminder that even peripheral devices can become entry points for serious attacks.
New "Pig Butchering" Tactic: Couriers to Bypass Bank Blocks
The FBI has warned about a new tactic used by organizers of cryptocurrency "pig butchering" schemes. After gaining the victim's trust, scammers convince them to withdraw a large sum of cash under the pretext of a "frozen" account or the need to pay taxes. A courier then arrives at the victim's location to collect the money. A pre-agreed password or a serial number from a banknote is used for identification.
This step allows attackers to bypass bank security systems that block suspicious transfers. After receiving the cash, they simulate a balance top-up on a fake platform and demand further payments. According to FBI data for 2025, cryptocurrency and investment scams accounted for 49% of all cybercrimes in the US, with losses amounting to $8.6 billion. This statistic underscores that the human factor remains the weakest link in security.
Expert Opinion: The increasing complexity of attacks, from USB worms to the use of couriers, demonstrates that the crypto industry has entered an era of professionalized cybercrime. Simple precautions, such as checking wallet addresses before sending and refusing to install unverified software, are no longer sufficient. Users need to implement multi-factor authentication, use hardware wallets, and critically evaluate any offers received via messengers or social networks.