Cybersecurity Threat Week: USB worm targets crypto wallets, Apple patches a hole in Beats, and new money laundering schemes

The past week in cybersecurity was eventful with incidents directly affecting cryptocurrency holders. From evolving trojans to sophisticated social engineering schemes, let's break down the key threats that cannot be ignored.
A new wave of phishing: fake reputation on GitHub and YouTube
Attackers have mastered a truly professional marketing approach. Instead of crude phishing emails, they build entire "ghost networks" to promote malware. The main target is a crypto clipper written in Rust and aimed at Windows and macOS. It silently replaces wallet addresses in the clipboard, redirecting funds to the attackers.
To build trust, hackers create a fake reputation on platforms like VirusTotal, GitHub, and YouTube. Hundreds of bots leave positive reviews and "like" malicious files. On SourceForge, downloads were inflated to 44,000 using a farm of Android devices. For credibility, a YouTube channel with over 91,000 subscribers and AI-generated voices in tutorial videos is used. This is a dangerous trend: manipulation of crowdsourcing platforms makes social engineering nearly undetectable.
USB worm with self-propagation capabilities
Microsoft experts revealed details of a campaign using a self-replicating worm. Infection begins by opening a modified .LNK file on a USB drive. The malware scans the system, hides the user's original documents, and replaces them with malicious shortcuts. Each time the victim tries to open a file, the worm activates again.
Its main goal is cryptocurrency theft. The malware monitors the clipboard every half second, searching for BIP39 seed phrases and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, it replaces the address with its own, with an algorithm selecting wallets with visually similar starting characters. Additionally, screenshots are taken every ten seconds. The most alarming aspect is that the worm's activity has been recorded since February, and it can only be detected through behavioral anomalies, such as unexpected launches of wscript.exe or connections to localhost:9050.
South Korea vs. crypto money launderers
South Korean law enforcement arrested 23 people in a case involving money laundering for a Cambodian phishing group. From February 2024 to April 2025, approximately 11.1 million USDT were moved through a network of 11,300 accounts. The total amount of stolen funds is estimated at $17 million. About $430,000 was seized, but the alleged organizer is still wanted via an Interpol Red Notice.
Android trojan Rokarolla: full device control
Zimperium researchers discovered the Rokarolla trojan with an arsenal of 137 remote commands. It spreads through fake websites, masquerading as TikTok or Chrome installers. After gaining access to "Accessibility Services," it disables Play Protect and deploys its full functionality.
The trojan can intercept PIN codes, read SMS, replace clipboard content, and even block incoming calls to prevent the victim from receiving bank alerts. A separate overlay mimics the Android lock screen, allowing theft of the pattern lock. This is a serious threat, and the only defense is extreme caution when granting permissions.
Cash couriers and a vulnerability in Beats
The FBI warns of a new tactic in "pig butchering" schemes: scammers hire couriers to collect cash from victims whose bank transactions are blocked. In 2025, crypto investment scams accounted for 49% of all cyber incidents in the US, with losses of $8.6 billion.
Meanwhile, Apple closed a dangerous vulnerability, CVE-2025-20701, in Beats Studio Buds. It allowed hackers within Bluetooth range to connect to the headphones without authorization, activate the microphone for eavesdropping, and even intercept trusted relationships with previously paired iPhones. Firmware update version 1B211 fixes the issue.
Expert opinion: The cyber threat market is clearly moving to a new level of professionalism. We are seeing not just viruses, but entire ecosystems with marketing, logistics, and complex infrastructure. For cryptocurrency holders, this means one thing: basic hygiene—antivirus and strong passwords—is no longer enough. It is necessary to critically evaluate any third-party links, files, and even "verified" repositories.