Crypto news

20.06.2026
11:40

Cyber threats of the week: USB worm steals cryptocurrencies, Apple patches a hole in Beats, and a new wave of Android trojans

security_new1

A weekly digest of key cybersecurity events: from sophisticated asset theft schemes to critical vulnerabilities in popular devices.

USB Worm: A New Era of Self-Propagating Threats

Microsoft experts have identified a dangerous campaign targeting cryptocurrency holders. The attack is based on a self-replicating USB worm that exploits hidden Windows shortcuts (.LNK). Infection occurs when a modified file on a flash drive is opened. The worm then scans the system, hides the user's original documents, and replaces them with malicious shortcuts. Each time the victim tries to open their file, the malware is activated.

To communicate with a command server located in the .onion domain, the worm uses built-in Tor. Its main goal is clipboard hijacking. The malware monitors copied data every half second, searching for BIP39 seed phrases (12 or 24 words) and wallet addresses for Bitcoin, Ethereum, Tron, and Monero. Upon detection, the address is instantly replaced with the attacker's wallet, with the algorithm selecting visually similar first characters to deceive the user. Additionally, the program takes screenshots every ten seconds. The worm's activity has been recorded since February, and its main indicator is behavioral, not signature-based.

Apple Closes Spyware Gap in Beats Studio Buds

Apple has released an urgent firmware update for its wireless Beats Studio Buds headphones, fixing the critical vulnerability CVE-2025-20701. The issue, discovered by SentinelOne specialists, allowed attackers within Bluetooth range to secretly connect to the headset and activate the built-in microphone for eavesdropping. The exploit requires no authentication and gives hackers nearly full control over the device, including the ability to read and overwrite memory, as well as intercept trusted connections with previously paired iPhones. The vulnerability has been fixed in firmware version 1B211.

New Android Trojan Rokarolla: Full Device Takeover

Zimperium researchers have discovered an Android trojan named Rokarolla, whose arsenal includes 137 remote commands. The malware disguises itself as installers for popular apps like TikTok or Chrome. After installation, it poses as a Google Play Protect component and uses social engineering to trick the user into granting access to "Accessibility Services." Once permission is obtained, the trojan disables the real Play Protect and deploys its full functionality: intercepting PINs, SMS, replacing clipboard content for cryptocurrency theft, and even simulating the Android lock screen to gain full control of the smartphone.

Expert Opinion

This week demonstrates an alarming trend: attackers are moving from simple phishing attacks to complex, multi-stage schemes using physical media and exploiting brand trust. The self-propagating USB worm marks a return to classic tactics, but with a modern cryptocurrency focus. At the same time, the vulnerability in Apple headphones shows that even seemingly harmless IoT devices can become an ideal vector for espionage. I strongly recommend crypto asset holders to increase vigilance: do not connect suspicious flash drives, update firmware on all devices promptly, and critically evaluate any requests for granting extended permissions on Android.