Weekly Crypto Threats: Self-propagating USB worm, Android trojan Rokarolla, and a vulnerability in Beats Studio Buds

This week, the cyber threat landscape for the crypto community has been expanded by several dangerous attack vectors. From the notorious USB worm that acts like a real biological virus to a sophisticated Android trojan capable of completely paralyzing smartphone defenses. Let's break down the key incidents.
USB Worm: A New Era of Self-Propagating Stealers
A campaign uncovered by Microsoft experts deserves special attention. It involves malware that spreads via USB drives using hidden Windows shortcuts. The infection mechanism is frighteningly elegant: the victim opens a modified .LNK file on a flash drive, after which the worm contacts a command server in the .onion domain zone and downloads the main payload.
The malware doesn't just steal data—it disguises itself as user documents, hiding originals and replacing them with its own copies. Every time the victim tries to open a work file, the virus reactivates. To spread, the worm creates a task in the Windows Task Scheduler that monitors the connection of new USB drives and instantly copies itself onto them.
Its primary target is crypto wallets. The malware monitors the clipboard every half second, searching for BIP39 seed phrases (12 and 24 words) and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it replaces the address with the attacker's details. Moreover, the algorithm selects wallets whose initial characters visually match the original, so the victim doesn't notice the substitution. Additionally, every ten seconds, the virus takes five screenshots and sends them to the hackers.
The worm's activity has been recorded at least since February. Key infection indicators include suspicious activity from wscript.exe and cscript.exe processes, unexpected launches of Curl, PowerShell, and cmd.exe, as well as connections to localhost:9050 (Tor's default port).
Android Trojan Rokarolla: Full Device Takeover
Zimperium researchers have discovered a new Android trojan, Rokarolla, which is a veritable Swiss Army knife for stealing cryptocurrencies. Its arsenal includes 137 remote commands, allowing it to intercept PIN codes, read and send SMS, manipulate the clipboard, and disable built-in OS protection mechanisms.
The malware disguises itself as installers for popular apps like TikTok and Google Chrome. In the first stage, it mimics the Google Play Protect system component and uses social engineering to force the user to grant access to "Accessibility Services." This step triggers a chain reaction: the trojan disables the real Play Protect, downloads fake HTML authorization pages for crypto wallets, and intercepts all entered data.
Particularly dangerous is the feature that mimics the Android lock screen. This allows the trojan to steal the PIN or pattern lock, giving operators full control over the device even when locked. To bypass 2FA, the malware reads all SMS and can independently send messages, intercepting one-time bank codes. Furthermore, by blocking incoming calls, it prevents bank anti-fraud systems from alerting the victim.
Crypto Clippers and Fake Reputation
A separate mention goes to the campaign distributing crypto clippers through reputation manipulation on GitHub, YouTube, and SourceForge. Attackers have created an entire "reputation economy," using fake accounts to inflate likes, comments, and downloads. On SourceForge, the download counter was artificially boosted to 44,000 using a farm of Android devices. This trend is extremely dangerous: a successfully tested cross-platform inflation scheme could be used for mass distribution of ransomware and more complex info-stealers.
Vulnerability in Beats Studio Buds: Eavesdropping via Bluetooth
Apple has released a firmware update for Beats Studio Buds, fixing the vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne experts, allowed attackers within Bluetooth range to connect to the headphones without the user's knowledge and use the built-in microphone for spying. The problem stemmed from incorrect authorization in the Bluetooth audio SDK from Airoha. In addition to eavesdropping, the attack provided almost complete control over the device, including the ability to intercept trust relationships with previously paired smartphones.
My analysis: This week demonstrates a clear trend toward more complex and multi-vector attacks. The USB worm and Android trojan are not just stealers but full-fledged remote management platforms capable of adapting to the victim's behavior. I recommend all cryptocurrency users immediately update their headphone firmware, disable autorun from USB drives, and critically review granted permissions for mobile apps, especially access to "Accessibility Services."