Weekly Crypto Threats: Self-Destructing USB Worm, New Android Trojan, and Vulnerability in Beats Studio Buds
An analytical review of key cybersecurity events over the past seven days shows that attackers continue to evolve, using increasingly sophisticated methods to steal digital assets. From self-replicating USB worms to fake GitHub reputations, hackers' arsenals are expanding at an alarming rate.
Self-Replicating USB Worm: A New Threat for Cryptocurrency Owners
Microsoft specialists have identified a malicious campaign targeting cryptocurrency users. The key attack tool is a self-replicating worm that spreads via USB drives. The infection mechanism is activated when a modified shortcut (.LNK) on a removable drive is opened. After that, the worm establishes a connection with a command server in the .onion domain zone and begins to operate covertly.
The malware scans the system for user files, hides the originals, and replaces them with malicious shortcuts. Each time the victim tries to open their document, the virus is reactivated. To spread, the worm creates a task that monitors the connection of new USB drives and instantly copies itself to them. The stealer only enters its active phase when the Task Manager is not running. It monitors the clipboard, intercepting BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero, replacing them with the attackers' details. Additionally, screenshots are taken every ten seconds. This worm's activity has been recorded since February, and the main indicator of infection is suspicious background activity from wscript.exe and cscript.exe processes.
New Android Trojan Rokarolla: Full Device Control
Zimperium researchers have discovered the Rokarolla trojan, equipped with an arsenal of 137 remote commands. The malware disguises itself as installers for popular apps such as TikTok and Google Chrome. After downloading, it mimics the system component Google Play Protect and uses social engineering to force the user to grant access to Accessibility Services. Once permission is obtained, the trojan disables the real Play Protect scanner and deploys the main payload.
Rokarolla downloads fake HTML login pages for crypto wallets and intercepts entered data. A separate overlay mimics the Android lock screen, allowing it to steal the PIN or pattern lock. An integrated clipper replaces wallet addresses in the clipboard. To bypass 2FA, the trojan reads and sends SMS messages, and also blocks incoming calls from bank anti-fraud systems.
Vulnerability in Beats Studio Buds: Espionage via Bluetooth
Apple has released a firmware update for Beats Studio Buds (version 1B211), fixing a critical vulnerability CVE-2025-20701. The issue, discovered by SentinelOne experts, allowed attackers within Bluetooth range to remotely connect to the headphones without the owner's consent, using the built-in microphone for eavesdropping. The attack is possible if the headset is not paired and is in discovery mode. The exploit also allows hackers to read and overwrite the headphones' RAM and flash memory, as well as intercept trust relationships with previously paired smartphones.
Expert opinion: This week demonstrates a worrying trend: attackers are actively combining physical and digital attack vectors, from USB drives to Bluetooth connections. Special attention should be paid to Android trojans, which are becoming increasingly autonomous and multifunctional. I strongly recommend cryptocurrency owners regularly update the firmware of all devices, including peripherals, and be cautious about any requests for extended permissions in mobile applications.