Cyber threats of the week: USB worm attacks crypto wallets, Apple patches a hole in Beats, and a new Android trojan

The past week in cybersecurity has been eventful: from complex multi-stage attacks on crypto investors to critical vulnerabilities in popular gadgets. Let's break down the key events that cannot be ignored.
USB Worm with Self-Propagation Capability: A New Threat for Windows
Microsoft experts detailed a campaign distributing a self-replicating malware aimed at stealing cryptocurrencies. The infection process is triggered when a modified .LNK file on a USB drive is opened. The worm then stealthily connects to a command server via the Tor network and begins scanning the system.
Its key feature is replacing original user documents with malicious shortcuts bearing the same names. Each time the victim tries to open their file, the malware is activated. To spread to new USB drives, a scheduled task is created that instantly copies the virus when a new disk is connected.
In the active phase, the stealer monitors the clipboard every half second, substituting Bitcoin, Ethereum, Tron, and Monero wallet addresses, as well as stealing 12- and 24-word BIP39 seed phrases. The algorithm selects wallets whose initial characters visually match the originals so the victim does not notice the substitution. Additionally, every ten seconds, five screenshots of the screen are taken. The main indicators of infection are anomalous activity of wscript.exe and cscript.exe processes, as well as connections to localhost:9050 (Tor port).
Apple Patches Vulnerability in Beats Studio Buds
Apple has released a firmware update (version 1B211) for Beats Studio Buds wireless headphones, fixing the critical vulnerability CVE-2025-20701. The issue, found in the Bluetooth audio SDK from Airoha, allowed an attacker within Bluetooth range to remotely connect to the headphones without user consent if the headset was in pairing discovery mode.
The exploit gave the hacker access to the built-in microphone for eavesdropping, as well as the ability to read and overwrite the device's RAM and flash memory. Moreover, the attacker could intercept trust relationships with previously paired iPhones, opening the door to more complex multi-stage attacks. I strongly recommend all Beats Studio Buds owners to install the update immediately.
Android Trojan Rokarolla: Full Device Control
Zimperium researchers have discovered a new Android trojan, Rokarolla, whose arsenal includes 137 remote commands. The malware spreads through fake websites masquerading as installers for TikTok or Google Chrome. In the first stage, it mimics the system component Google Play Protect and, through social engineering, forces the user to grant access to "Accessibility Services."
Once permission is obtained, the trojan disables the real Play Protect scanner and loads fake HTML authorization pages for crypto wallets. When the victim opens a legitimate app, Rokarolla overlays it with a fake window and intercepts the entered data. A separate overlay mimics the Android lock screen to steal the PIN code. An integrated clipper substitutes wallet addresses in the clipboard. To bypass 2FA, the trojan reads and sends SMS, and can also block incoming calls from bank anti-fraud systems.
Expert Summary
The trend this week is the increasing complexity of attack vectors. We are seeing not just individual malware, but entire ecosystems: from USB worms with their own command channel via Tor to trojans capable of completely paralyzing smartphone operation. Particularly alarming is the use of hidden shortcuts by USB worms — this is an elegant and dangerous persistence method that is difficult to detect with traditional signature-based methods. I recommend Windows users pay attention to behavioral system anomalies, and Android owners be critical of any requests for access to "Accessibility Services."