Cyber threats of the week: USB worm hunts for crypto wallets, Apple patches a hole in Beats, and scammers master courier delivery

The world of crypto security continues to deliver surprises, and the current week is no exception. From self-replicating viruses on USB drives to vulnerabilities in Apple headphones, the arsenal of attackers is becoming increasingly sophisticated. Let's break down the key incidents that require the closest attention.
USB Worm: A New Era of Self-Propagation
Particular attention should be paid to a campaign uncovered by Microsoft experts. It involves a self-replicating malware that uses USB drives for propagation and hidden Windows shortcuts for persistence. The scenario is frighteningly simple: the victim opens a modified .LNK file on a flash drive, and the worm instantly installs a payload from a command server located in the .onion zone. The malware doesn't just steal data — it scans the system, hides original documents, and replaces them with its own shortcuts. Every time the user tries to open a working file, the virus activates again. To steal cryptocurrencies, it monitors the clipboard, tracking BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detecting a copied address, the malware replaces it with the attacker's address, with the algorithm selecting visually similar first characters to deceive the victim. Every ten seconds, the virus takes screenshots and sends them to hackers. Activity has been recorded since February, and the main indicator of infection is behavioral: suspicious activity from wscript.exe, cscript.exe, and unexpected connections to localhost:9050.
Scammers Hire Couriers: New "Pig Butchering" Tactic
Operators of crypto scams known as "pig butchering" are adapting to banking blocks. As reported by the FBI, they are now hiring couriers to collect cash from victims. The scheme is classic: scammers gain trust through social media, lure victims into fake investments, and then convince them to withdraw cash under the pretext of a "frozen" account. The courier picks up the money using a pre-agreed password. After that, hackers simulate a balance top-up in a virtual wallet and demand new payments for fictitious "taxes." According to FBI data for 2025, cryptocurrency fraud remains the most destructive form of cybercrime in the US: 49% of all incidents with losses amounting to $8.6 billion.
Vulnerability in Beats Studio Buds: Eavesdropping Without Consent
Apple has released a firmware update for Beats Studio Buds, fixing a critical vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne, allowed attackers within Bluetooth range to remotely connect to headphones that had not yet been paired and activate the microphone for espionage. The exploit requires no authentication and provides control over the device's RAM and flash memory, as well as allowing interception of trust relationships with previously paired smartphones. This opens a vector for multi-stage attacks on the user's iPhone.
Analyst's comment: The evolution of threats is obvious: hackers are moving from simple phishing attacks to complex, multi-stage schemes using social engineering and physical presence. The USB worm masquerading as work files and scammers hiring couriers are alarming signals that the security of crypto assets requires not only technical but also behavioral protective measures. Cryptocurrency owners should reconsider their habits: do not insert suspicious USB drives, do not trust strangers on social media, and always update device firmware.