Cyber threats of the week: USB worm hunts for crypto wallets, Apple patches a hole in Beats, and a new Android trojan steals seed phrases

This week, the cyber threat landscape has been enriched with several sophisticated attacks targeting the crypto community. From self-propagating USB worms to complex phishing schemes on GitHub, attackers are relentless in their attempts to access digital assets. Let's break down the key incidents.
Cryptoclipper Disguised with Fake Reputation
Scammers have launched a large-scale campaign promoting a malicious clipper written in Rust. This trojan targets Windows and macOS, swapping wallet addresses in the clipboard. The scheme's uniqueness lies in creating a "reputation economy": attackers use networks of fake accounts on VirusTotal, GitHub, and YouTube to artificially inflate ratings and leave positive reviews. On SourceForge, the download counter was boosted to 44,000 using a farm of Android devices. On YouTube, a channel with 91,000 subscribers advertises the malware disguised as trading tools for Solana and Pump.fun. This is a dangerous precedent: such tactics could be used for the mass distribution of ransomware.
USB Worm with Stealer and Self-Propagation Capabilities
Experts have identified activity from a USB worm that uses hidden Windows shortcuts to steal cryptocurrencies. Infection begins when a modified .LNK file on a flash drive is opened. The malware scans the system, hides user documents, and replaces them with malicious shortcuts. For self-propagation, the worm creates a task that copies it to any new USB device. In its active phase, it connects to a command server via Tor and monitors the clipboard every half second for BIP39 seed phrases and addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it instantly swaps them with the attacker's address, with the algorithm selecting wallets that visually match the first characters. Indicators of infection include anomalous activity from wscript.exe and cscript.exe, as well as connections to localhost:9050.
South Korean Police Dismantle USDT Laundering Network
In South Korea, 23 suspects have been detained for involvement in laundering funds for a Cambodian phishing group. From February 2024 to April 2025, approximately 11.1 million USDT were moved through a network of 11,300 accounts. These accounts were linked to stolen funds totaling $17 million, obtained from 265 incidents. Around $430,000 was seized during raids. The group's organizer has been placed on Interpol's international wanted list.
Rokarolla: New Android Trojan with Full Device Takeover
Researchers have discovered the Rokarolla trojan, which spreads through fake websites masquerading as installers for TikTok and Chrome. After gaining access to "Accessibility Services," the malware disables Google Play Protect and deploys an arsenal of 137 commands. It intercepts PIN codes, reads SMS, swaps clipboard data to steal cryptocurrencies, and even mimics the Android lock screen. To bypass 2FA, the trojan can autonomously send messages, intercepting banking codes, and block incoming calls from anti-fraud systems.
Apple Patches Vulnerability in Beats Studio Buds
Apple has released a firmware update for Beats Studio Buds, fixing the critical vulnerability CVE-2025-20701. The flaw in the Bluetooth stack allowed hackers within range to connect to the headphones without authentication, activate the microphone for eavesdropping, and even intercept trust relationships with previously paired iPhones. The vulnerability was discovered in January and is now patched in firmware version 1B211.
Analyst's Opinion: This week clearly demonstrates the evolution of threats: from simple phishing links to complex multi-layered attacks using social engineering, fake reputations, and physical access via USB. The crypto community must exercise maximum vigilance, especially when installing untrusted software and connecting external drives.