Weekly Crypto Threats: USB Worm for Stealing Seed Phrases, Android Trojan with Full Device Takeover, and Beats Studio Buds Vulnerability

The world of crypto security continues to demonstrate the evolution of threats: from complex social engineering to hardware breaches. This week, we are witnessing a cascade of attacks targeting digital asset owners, each of which deserves close attention.
USB Worm: A New Level of Self-Propagation
Microsoft specialists have identified a campaign distributing a self-replicating malware that exploits hidden Windows shortcuts. After infecting a system via a USB drive, the worm hides original user files and replaces them with malicious .LNK files. Each time the victim attempts to open a document, the virus is activated, which then copies itself to new flash drives through a scheduled task.
The malware is written in Rust and targets cryptocurrency theft: it monitors the clipboard, replacing wallet addresses for Bitcoin (including Taproot), Ethereum, Tron, and Monero with the attacker's details. Particularly dangerous is the interception of 12- and 24-word BIP39 seed phrases. The worm uses built-in Tor to communicate with the command server and takes screenshots every ten seconds. The main indicator of infection is abnormal activity from wscript.exe and cscript.exe.
Android Trojan Rokarolla: Full Device Takeover
Zimperium researchers have discovered a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. The malware disguises itself as installers for TikTok and Google Chrome, and in the first stage, it mimics the system component Google Play Protect. After gaining access to "Accessibility Services," it disables the real Play Protect scanner and launches a full-scale attack.
Rokarolla intercepts PIN codes, reads and sends SMS, and uses a built-in clipper to replace cryptocurrency wallet addresses. To bypass 2FA, the trojan intercepts one-time banking codes and blocks incoming calls from anti-fraud systems. Additionally, it can mimic the standard Android lock screen to steal a pattern or password.
Vulnerability in Beats Studio Buds: Eavesdropping via Bluetooth
Apple has released a firmware update for Beats Studio Buds, fixing vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne specialists, allowed hackers within Bluetooth range to connect to the headphones without authentication and use the built-in microphone for spying. The vulnerability provided access to reading and overwriting RAM and flash memory, as well as intercepting trust relationships with previously paired smartphones.
Other Events of the Week
- Cryptoclippers are spreading through fake reputations on GitHub and YouTube, using "ghost networks" to inflate likes and downloads.
- South Korean law enforcement dismantled a network laundering 11.1 million USDT for a Cambodian phishing syndicate, using 11,300 accounts.
- The FBI warns of a new tactic: scammers hire couriers to collect cash from crypto scam victims when banks block transactions.
- An outdated contract on the Aztec network was exploited for $2 million.
Expert Commentary: The current wave of attacks demonstrates that attackers have moved from simple phishing schemes to multi-stage operations using self-propagating worms and trojans with full device takeover. Particularly alarming is the integration of Tor into the USB worm—this makes traditional signature-based detection methods nearly useless. I recommend users update firmware on all Bluetooth devices, disable autorun from USB drives, and carefully review permission requests on Android.