Cyber threats of the week: USB worm hunts for crypto wallets, Apple patches a hole in Beats Studio Buds, and a new Android trojan

Another week brought a whole bouquet of alarming signals from the world of cybersecurity. From sophisticated social engineering schemes to hardware vulnerabilities, attackers are not sleeping, and we are analyzing their tactics.
Fake Reputation on GitHub and YouTube: How Crypto Clippers Are Promoted
A massive malware distribution campaign uses methods worthy of legitimate marketing. Attackers create entire "Ghost Networks" to inflate reputation on GitHub, SourceForge, and YouTube. Their goal is to deploy a Rust-based clipper that monitors the clipboard and swaps cryptocurrency wallet addresses on Windows and macOS. On SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices, while on YouTube, a channel with 91,000 subscribers advertises "trading tools." This tactic of manipulating crowdsourcing platforms is a dangerous precedent that could be used in the future to distribute ransomware.
USB Worm with Self-Propagation Capability
Microsoft experts have revealed details of a campaign where malware spreads via USB drives. Infection begins with opening a modified .LNK file. The worm scans the system, hides original documents, and replaces them with malicious shortcuts. To self-copy to new USB drives, a scheduled task is created. In the active phase, the stealer monitors the clipboard every half-second for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. When an address is detected, it is swapped with the attacker's details, with the algorithm selecting wallets that visually match the initial characters. Every ten seconds, five screenshots are taken. Key indicators of infection are suspicious activity from wscript.exe and cscript.exe, as well as unauthorized connections to localhost:9050 (Tor port).
South Korea Dismantles Cryptocurrency Laundering Network
South Korean law enforcement arrested 23 suspects linked to a Cambodian phishing organization. Between February 2024 and April 2025, the group moved approximately 11.1 million USDT through a network of 11,300 accounts. These transit accounts were linked to stolen funds totaling $17 million obtained from 265 incidents. Criminal proceeds worth $430,000 were seized. The group's organizer remains at large, but an Interpol "Red Notice" has been issued.
New Android Trojan Rokarolla: 137 Commands for Theft
Zimperium researchers discovered the Rokarolla trojan, targeting cryptocurrency theft. Its arsenal includes 137 remote commands. The malware masquerades as a system component of Google Play Protect, forcing the user to grant access to "Accessibility Services." After that, it disables the real Play Protect scanner and creates fake HTML login pages for crypto wallets. A separate overlay mimics the Android lock screen to steal the PIN. An integrated clipper swaps wallet addresses in the clipboard. To bypass 2FA, the trojan intercepts SMS and can block incoming calls from bank anti-fraud systems.
Crypto Scammers Hire Couriers to Collect Cash
The FBI reports a new tactic in "pig butchering" schemes. When banking systems block suspicious transactions, scammers convince the victim to withdraw cash and send a courier to collect it. A pre-agreed password or serial number on a banknote is used for identification. In 2025, cryptocurrency and investment fraud accounted for 49% of all cyber incidents in the US, with losses of $8.6 billion.
Apple Fixes Dangerous Vulnerability in Beats Studio Buds
Apple released a firmware update for Beats Studio Buds, fixing vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne, allowed a hacker within Bluetooth range to secretly connect to the headphones and use the built-in microphone for espionage. The issue is related to incorrect authorization in the Bluetooth audio SDK. The exploit also allowed reading and overwriting the headphones' memory and intercepting trust relationships with previously paired smartphones, opening a vector for multi-stage attacks. The vulnerability is fixed in firmware version 1B211.
Expert Opinion: This week clearly demonstrates that cyber threats are becoming increasingly complex and interdisciplinary. Attackers are no longer just writing malicious code—they are building entire ecosystems for its promotion and concealment. From fake reputations on GitHub to physical couriers for collecting cash, attacks are evolving. Investors and users should double their vigilance: do not blindly trust GitHub stars, do not connect suspicious USB drives, and carefully check the permissions you grant to mobile applications.