Crypto news

20.06.2026
10:50

Cyber threats of the week: USB worm targets crypto wallets, Android trojan Rokarolla, and a vulnerability in Beats Studio Buds

security_new1

Over the past week, the world of cybersecurity has faced a series of serious incidents directly threatening users' digital assets. From self-spreading USB worms to sophisticated Android trojans, attackers continue to refine their tools. Let's break down the key events.

USB Worm with Total Control

One of the most dangerous attack vectors recently is a USB worm that uses hidden Windows shortcuts to steal cryptocurrencies. The infection process is triggered when a modified .LNK file on a flash drive is opened. The malware then scans the system, hides the user's original documents, and replaces them with its own shortcuts. Thus, every access to a working file activates the virus.

Of particular note is the self-propagation mechanism: the worm creates a background task that monitors the connection of new USB drives and instantly copies itself onto them. In its active phase, it continuously monitors the clipboard, searching for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detecting a target, the address is replaced with the attacker's details, with the algorithm selecting visually similar initial characters. Additionally, every ten seconds, the malware takes five screenshots of the screen, sending them to hackers via Curl. Activity has been recorded since February, with key indicators being behavioral: suspicious processes wscript.exe and cscript.exe, as well as connections to localhost:9050 (Tor port).

Rokarolla: New Android Trojan with "Full Takeover"

Zimperium researchers have discovered the Rokarolla trojan, whose arsenal includes 137 remote commands. The malware disguises itself as installers for TikTok and Google Chrome, then mimics the Google Play Protect system component. Using social engineering, the dropper forces the user to grant access to "Special Features," after which it disables the real Play Protect scanner and deploys the main payload.

Rokarolla can intercept PIN codes, read and send SMS, and replace the clipboard to steal cryptocurrencies. It creates fake HTML authorization pages for crypto wallets and intercepts entered data. A separate overlay mimics the Android lock screen, allowing theft of passwords or pattern keys. To bypass 2FA, the trojan intercepts one-time codes from SMS and even blocks incoming calls from bank anti-fraud systems.

Apple Patches Dangerous Vulnerability in Beats Studio Buds

Apple has released a firmware update (version 1B211) for its Beats Studio Buds wireless headphones, fixing the critical vulnerability CVE-2025-20701. The flaw, discovered by SentinelOne, allowed a hacker within Bluetooth range to remotely connect to the headphones without user consent—provided the headset was unpaired and in discovery mode.

The exploit gave attackers access to the built-in microphone for eavesdropping, as well as the ability to read and overwrite the device's RAM and flash memory. Moreover, the attack allowed interception of trust relationships with previously paired smartphones, opening the door for multi-stage attacks.

Expert Opinion

This week clearly demonstrates that cybercriminals are moving from simple phishing schemes to complex, multi-stage attacks using social engineering and automated propagation mechanisms. The USB worm and Rokarolla trojan are vivid examples of how attackers combine technical vulnerabilities with manipulation of user behavior. In this regard, I recommend crypto investors strengthen basic security measures: disable autorun on USB drives, carefully review permissions granted to apps on Android, and promptly update firmware for all Bluetooth devices. Ignoring these rules could cost not only privacy but also significant financial losses.