Cyber threats of the week: USB worm for stealing cryptocurrencies, Beats Studio Buds vulnerability, and a new scam tactic
This week, the cyber threat landscape for the crypto community has been expanded with several dangerous attack vectors. From self-propagating USB worms to sophisticated Android trojans, attackers continue to refine their methods. Let's break down the key events.
USB Worm: A New Level of Persistence
One of the most alarming findings is a USB worm that uses hidden Windows shortcuts to steal cryptocurrencies. Infection begins by opening a modified .LNK file on a flash drive. After that, the malware establishes a connection with a command server on the Tor network and scans the system for user documents. The original files are hidden, and malicious shortcuts with the same names appear in their place — thus, the worm activates every time the user tries to open work files.
The self-propagation mechanism poses a particular danger: the virus creates a task that monitors the connection of new USB drives and instantly copies itself onto them. The stealer enters its active phase only when the "Task Manager" is not running. It monitors the clipboard every half second, intercepting BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Address substitution occurs with visual masking — wallets with matching initial characters are selected. Additionally, five screenshots of the screen are taken every ten seconds. The worm's activity has been recorded since February, and the key indicators of infection are behavioral: unexpected launches of wscript.exe, cscript.exe, Curl, and connections to localhost:9050.
Rokarolla: Android Trojan with Full Control
Researchers have discovered a new Android trojan, Rokarolla, targeting cryptocurrency theft. Its arsenal includes 137 remote commands. The malware disguises itself as TikTok or Google Chrome installers and initially mimics the Google Play Protect system component. Through social engineering, it tricks the user into granting access to "Accessibility Services," after which it disables the real Play Protect scanner and deploys its full functionality.
Rokarolla downloads fake HTML login pages for each crypto wallet in its target list. When the victim opens a legitimate app, the trojan overlays it with a fake window and intercepts the entered data. A separate overlay mimics the Android lock screen, allowing it to steal the PIN or pattern lock. A built-in clipper monitors the clipboard and substitutes wallet addresses. To bypass 2FA, the trojan reads and sends SMS messages and can also block incoming calls from bank anti-fraud systems. The main defense is to be extremely cautious about requests for access to "Accessibility Services."
Beats Studio Buds Vulnerability: Espionage via Bluetooth
Apple has released a firmware update for Beats Studio Buds, fixing the high-severity vulnerability CVE-2025-20701. The flaw, related to incorrect authorization in the Bluetooth audio SDK from Airoha, allowed attackers within Bluetooth range to remotely connect to the headphones without the user's knowledge — provided the headset was not paired and was in discovery mode. The exploit is activated via standard Bluetooth or BLE without authentication. In addition to eavesdropping through the built-in microphone, the attack grants nearly full control over the device: reading and overwriting memory, as well as intercepting trust relationships with previously paired smartphones. Updating to version 1B211 is mandatory for all users.
Other Events of the Week
Among other significant incidents: the dismantling in South Korea of a network laundering 11.1 million USDT for a Cambodian syndicate (23 people arrested), as well as a new FBI tactic where fraudsters hire couriers to collect cash from victims whose transactions are blocked by banks. Recall that according to FBI data for 2025, cryptocurrency and investment scams account for 49% of all cybercrimes in the US, with losses amounting to $8.6 billion.
My Comment: The trend of using USB worms and sophisticated Android trojans with self-propagation and 2FA bypass functions indicates the professionalization of crypto cybercrime. Special attention should be paid to behavioral indicators — traditional signature-based detection methods are no longer effective here. Users need to strengthen basic security measures: disabling autorun from USB, using hardware wallets, and regularly updating firmware for all Bluetooth devices.