Crypto news

20.06.2026
06:05

Cyberwar for Crypto Assets: USB Worms, Fake Reputation, and a New Android Trojan — Weekly Threat Digest

security_new1

The week was rich in cybersecurity events. Attackers continue to refine their schemes, combining technical vulnerabilities with social engineering methods. Let's look at the key threats that require close attention from anyone working with digital assets.

Fake Reputation as a Tool for Spreading Crypto Clippers

A large-scale campaign to deploy malware aimed at stealing cryptocurrencies uses a new tactic — manipulating ratings on popular platforms. The attacker created a complex infrastructure of fake accounts on GitHub, YouTube, and VirusTotal to artificially boost trust in their software. The ultimate goal is to install a Rust-based crypto clipper that, disguised as trading tools for Solana or Pump.fun, monitors the clipboard and replaces wallet addresses. On SourceForge, the download count was artificially inflated to 44,000 using a farm of Android devices, and a YouTube channel with 91,000 subscribers advertises this software using AI-generated voices. This scheme demonstrates a dangerous shift in tactics: hackers are now actively using crowdsourcing mechanisms and legitimate marketing tools to distribute malware.

USB Worm with Self-Propagation and Covert Monitoring Capabilities

Microsoft specialists have identified a campaign distributing a self-replicating worm targeting cryptocurrency holders. Infection begins when a modified shortcut file (.LNK) on a USB drive is opened. The malware hides user documents and replaces them with its own shortcuts, activating each time a file is opened. For self-propagation, the worm creates a scheduled task that copies it to any new USB drive. In its active phase, the stealer monitors the clipboard every half-second for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero, replacing them with the attacker's details. Notably, it uses built-in Tor to communicate with the command server and takes five screenshots every ten seconds. The worm's activity has been recorded since February, and it is difficult to detect due to the behavioral nature of its infection indicators.

South Korean Operation Against Crypto Laundering and a New Android Trojan

South Korean law enforcement arrested 23 suspects in a case involving the laundering of 11.1 million USDT for a Cambodian phishing syndicate. The network used approximately 11,300 accounts to move stolen funds. The group's organizer has been placed on an international wanted list. Meanwhile, Zimperium researchers discovered the Android trojan Rokarolla, which boasts an arsenal of 137 remote commands. It disguises itself as a system component of Google Play Protect, steals PIN codes, intercepts SMS messages, replaces clipboard content, and can even block incoming calls from bank anti-fraud systems. This trojan poses a serious threat as it can fully take over device control.

Apple Fixes Dangerous Vulnerability in Beats Studio Buds

Apple has released a firmware update for its Beats Studio Buds wireless headphones, fixing vulnerability CVE-2025-20701. This flaw, related to incorrect authorization in the Bluetooth audio SDK, allowed an attacker within Bluetooth range to remotely connect to the headphones without the user's knowledge. This granted access to the built-in microphone for eavesdropping, as well as the ability to read and overwrite device memory. The vulnerability, reported back in January, has now been fixed in firmware version 1B211.

Analyst's Opinion. This week clearly demonstrates that attackers are moving from simple phishing attacks to complex, multi-stage schemes where technical vulnerabilities are combined with trust manipulation through social networks and ratings. The spread of USB worms and Android trojans with self-propagation and full device control capabilities is particularly alarming. For protection, users need to be extremely vigilant when using external drives, installing apps from untrusted sources, and granting permissions, especially access to "Accessibility" features on Android.