Crypto news

20.06.2026
10:20

Cyber Threats of the Week: USB Worms, Android Trojans, and Vulnerabilities in Apple Headphones — Full Analysis

security_new1

Over the past week, the world of cybersecurity has been shaken by a series of attacks targeting cryptocurrency users. From self-spreading USB worms to sophisticated Android trojans, attackers are relentless in their attempts to access digital assets. Let's break down the key events.

USB Worm: A New Level of Threat for Cryptocurrency Owners

Microsoft experts have recorded a campaign spreading a unique USB worm aimed at stealing cryptocurrencies. The malware uses hidden Windows shortcuts (.LNK) on USB drives. As soon as a victim opens such a file, the worm activates, scans the system, and replaces user documents with malicious shortcuts bearing the same names. Each time the owner tries to open their file, the malware runs again, ensuring persistence.

A distinctive feature of this threat is its self-propagation. The worm creates a scheduled task that monitors the connection of new USB drives and instantly copies itself onto them. In its active phase, it connects to a command server via Tor and monitors the clipboard every half-second for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, the address is instantly replaced with the attacker's details, with an algorithm selecting wallets that have visually similar starting characters. Activity has been recorded since February, and the main indicator of infection is behavioral: suspicious activity from wscript.exe, cscript.exe processes, and connections to localhost:9050.

Android Trojan Rokarolla: Full Device Takeover

Zimperium researchers have discovered a new Android trojan, Rokarolla, which possesses 137 remote commands. It spreads through fake websites masquerading as installers for TikTok or Google Chrome. In the first stage, the victim downloads a program that mimics Google Play Protect. Using social engineering, the trojan forces the user to grant access to "Accessibility Services," after which it disables the real Play Protect scanner and deploys the main payload.

Rokarolla intercepts PIN codes, reads SMS, replaces clipboard content to steal cryptocurrencies, and even blocks incoming calls from bank anti-fraud systems. It can generate fake HTML login pages for crypto wallets and mimic the standard Android lock screen to steal passwords. Experts emphasize: the main defense is not granting "Accessibility Services" permissions to suspicious applications.

South Korea Dismantles Money Laundering Network for Cambodian Syndicate

South Korean law enforcement has arrested 23 suspects in a case involving money laundering for a Cambodian phishing organization. From February 2024 to April 2025, the group moved approximately 11.1 million USDT through 11,300 accounts linked to stolen funds worth $17 million. About $430,000 was seized during raids, but the alleged mastermind remains at large—an Interpol warrant has been issued for him.

Vulnerability in Beats Studio Buds: Eavesdropping via Bluetooth

Apple has released a firmware update for Beats Studio Buds, fixing vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne, allowed hackers within Bluetooth range to connect to the headphones without the user's knowledge if they were not paired. The exploit granted access to the microphone for espionage, as well as the ability to read and overwrite device memory. The vulnerability has been fixed in firmware version 1B211.

Expert Opinion

This week clearly demonstrates the evolution of threats: from simple clippers to complex multi-stage attacks using USB worms and trojans. The crypto community must pay special attention to behavioral indicators—not just antivirus protection, but also monitoring background system activity. Otherwise, even experienced users risk losing assets due to what might seem like a harmless USB drive.