Cyber Threats of the Week: USB Worms, Android Trojans, and Fake Reputations in the World of Cryptocurrencies

This week, the cybersecurity landscape in the crypto sphere has been marked by a series of alarming incidents. Attackers are actively refining their methods, employing both social engineering and sophisticated technical solutions. In this overview, I will break down the key events that require close attention from every market participant.
Fake Reputations and Crypto Clippers: A New Era of Social Engineering
A large-scale campaign to distribute malware targeting cryptocurrency theft has been launched using fake reputation systems. The attacker created a complex infrastructure of "ghost networks" on platforms like GitHub, YouTube, and VirusTotal. The main tool is a crypto clipper written in Rust that works on Windows and macOS. It monitors the clipboard and replaces copied wallet addresses with the attacker's details.
To build trust, the hacker uses inflated likes, fake accounts, and even AI-generated voices in tutorial videos. On SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices. This approach represents a dangerous shift in tactics that could be used to spread more complex threats, including ransomware.
USB Worm: Self-Replication via Hidden Windows Shortcuts
Microsoft experts have revealed details of a campaign using a self-replicating worm. Infection begins when a modified shortcut file (.LNK) on a USB drive is opened. After that, the malware scans the system, hides original documents, and replaces them with malicious shortcuts bearing the same names. Each time a user tries to open their files, the malware is activated.
The worm uses Tor to communicate with its command server and monitors the clipboard for BIP39 seed phrases and wallet addresses (Bitcoin, Ethereum, Tron, Monero). Upon detection, it replaces them with the attacker's addresses. Every ten seconds, five screenshots of the screen are taken. Activity has been recorded since at least February, and the main indicators of infection are behavioral, not signature-based.
Android Trojan Rokarolla: Full Device Control
Researchers from Zimperium have discovered a new Android trojan, Rokarolla, which possesses 137 remote commands. It spreads through malicious websites disguised as installers for TikTok or Google Chrome. In the first stage, the victim downloads a program that mimics the Google Play Protect system component and, through social engineering, gains access to "Accessibility Services."
After that, the trojan disables the real Play Protect scanner and can intercept PINs, read and send SMS, and replace the clipboard to steal cryptocurrencies. It also creates fake HTML authorization pages for crypto wallets and can mimic the Android lock screen. To bypass 2FA, the trojan intercepts one-time codes from SMS and can block incoming calls from bank anti-fraud systems.
Vulnerability in Beats Studio Buds: Espionage via Headphones
Apple has released a firmware update for Beats Studio Buds, fixing vulnerability CVE-2025-20701. This flaw, discovered by SentinelOne experts, allowed attackers within Bluetooth range to connect to the headphones without the user's knowledge and use the built-in microphone for espionage. The issue was related to incorrect authorization in the Bluetooth audio SDK. The vulnerability granted nearly full control over the device, including reading and overwriting memory, as well as intercepting trust relationships with previously paired smartphones.
My Comment: This week clearly shows that attackers are moving from simple phishing attacks to complex, multi-layered schemes. Particularly alarming is the use of fake reputations and social engineering on platforms we are accustomed to trusting. Cryptocurrency owners should be extremely cautious when installing any software, especially if it promises easy earnings. Regular firmware updates and vigilance when granting permissions are your first line of defense.