Cryptothreats of the Week: Invisible USB Worm, Android Trojan with 137 Commands, and Vulnerability in Apple Headphones

In recent days, a series of serious cyberattacks targeting digital asset owners have been recorded. From self-propagating USB worms to sophisticated Android trojans, the arsenal of attackers is becoming increasingly sophisticated. Let's break down the key threats.
USB Worm: Theft via Hidden Shortcuts
Microsoft experts have identified a campaign using a self-replicating malware focused on stealing cryptocurrencies. The infection process is triggered when a victim opens a modified .LNK file on a USB drive. After that, the worm covertly installs additional modules from a server in the .onion domain zone.
The malware disguises itself as user files: it scans the system, hides the original documents, and replaces them with malicious shortcuts. Each time a user tries to open their file, the software activates again. To spread, the worm creates a task that monitors the connection of new USB drives and instantly copies itself onto them.
In the active phase, the stealer monitors the clipboard every half second, looking for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it replaces the address with the attacker's details, with the algorithm selecting wallets with visually similar initial characters so the victim does not notice the substitution. Additionally, every ten seconds, five screenshots are taken and sent to the hackers.
The worm's activity has been recorded since February. The main indicators of infection are behavioral: suspicious activity from wscript.exe and cscript.exe, unexpected launches of Curl and PowerShell, and connections to localhost:9050 (Tor port).
Android Trojan Rokarolla: Full Device Control
Zimperium researchers have discovered a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. The malware spreads through fake websites masquerading as installers for TikTok and Google Chrome.
In the first stage, the victim downloads a program that mimics the system component Google Play Protect. Using social engineering, the trojan forces the user to grant access to "Accessibility Services," after which it disables the real Play Protect scanner and deploys the main payload.
Rokarolla downloads fake HTML login pages for each active crypto wallet. When the victim opens a legitimate app, the trojan overlays it with a fake window and intercepts all entered data. A separate overlay mimics the Android lock screen, allowing theft of the PIN or pattern key. An integrated clipper replaces wallet addresses in the clipboard, and to bypass 2FA, the trojan reads and sends SMS, and can also block incoming calls from bank anti-fraud systems.
Vulnerability in Beats Studio Buds: Eavesdropping via Bluetooth
Apple has released a firmware update for Beats Studio Buds, closing a dangerous vulnerability, CVE-2025-20701. The issue, discovered by SentinelOne back in January, allowed attackers within Bluetooth range to remotely connect to the headphones and use the built-in microphone for spying.
The vulnerability is related to incorrect authorization in the Bluetooth audio SDK from Airoha. The exploit allows not only eavesdropping on conversations but also reading and overwriting the headphones' RAM and flash memory, as well as intercepting trust relationships with previously paired smartphones. The firmware update version 1B211 completely eliminates the threat.
Expert Opinion: This week clearly demonstrates that cybercriminals are actively exploring both new attack vectors (USB worms with Tor infrastructure) and refining old ones (Android trojans with 137 commands). The vulnerability in consumer electronics is particularly alarming — it's a reminder that security must be comprehensive, covering not only software but also hardware. Investors should reconsider their habits: do not connect unknown USB drives, carefully check app permissions, and promptly update firmware on all devices.