{"id":234097,"date":"2026-06-20T00:00:00","date_gmt":"2026-06-20T04:00:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/20\/usb-worm-targeted-crypto-holders-apple-fixed-critical-beats-studio-buds-flaw-and-more-cybersecurity-news\/"},"modified":"2026-06-20T00:20:19","modified_gmt":"2026-06-20T04:20:19","slug":"usb-worm-targeted-crypto-holders-apple-fixed-critical-beats-studio-buds-flaw-and-more-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/20\/usb-worm-targeted-crypto-holders-apple-fixed-critical-beats-studio-buds-flaw-and-more-cybersecurity-news\/","title":{"rendered":"USB worm targeted crypto holders; Apple fixed critical Beats Studio Buds flaw and more cybersecurity news"},"content":{"rendered":"

USB worm targeted crypto holders; Apple fixed critical Beats Studio Buds flaw and more cybersecurity news<\/a><\/p>\n

https:\/\/forklog.com\/en\/usb-worm-targeted-crypto-holders-apple-fixed-critical-beats-studio-buds-flaw-and-more-cybersecurity-news\/<\/a><\/p>\n

Publish Date: 2026-06-20 00:00:00<\/a><\/p>\n

Source Domain: forklog.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

The week’s key cybersecurity developments.<\/p>\n

\t\t\t We gathered the week\u2019s most important cybersecurity news.<\/p>\n

A crypto clipper spread via fake reputation on GitHub and YouTube.
\nA USB worm self-propagated through hidden Windows shortcuts to steal cryptocurrency.
\nSouth Korean law enforcement dismantled a crypto money-laundering network for a Cambodian syndicate.
\nResearchers found a new Android trojan that steals cryptocurrency.<\/p>\n

Crypto clipper spread using fake reputation on GitHub and YouTube
\nAn unidentified attacker launched a large-scale malware campaign using legitimate marketing tactics to build a fake \u201creputation economy,\u201d according to Check Point Research.
\nThe end goal was to deploy crypto clippers disguised as trading tools in the Solana and Pump.fun ecosystems, as well as betting outcome prediction software.
\nPhishing page. Source: Check Point Research.
\nAccording to the researchers, the clipper is written in Rust and targets Windows and macOS. It covertly and continuously monitors the device clipboard. When a copied cryptocurrency wallet address is detected, the malware instantly swaps it for the attacker\u2019s details, redirecting the digital assets.
\nTo build trust with victims \u2014 mainly crypto investors and online gamblers \u2014 the hacker set up a complex cross-platform infrastructure of \u201cGhost Networks.\u201d Analysts observed coordinated activity on VirusTotal: a cluster of fake accounts mass-posted positive comments and likes to falsely classify malicious files as safe.
\nSimilar metric manipulation is used on other platforms:<\/p>\n

GitHub and SourceForge. The attacker controls a network of accounts to cross-promote repositories. On SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices;
\nYouTube. A channel with more than 91,000 subscribers advertises the software. Tutorial videos use AI voice generators and are accompanied by boosted positive comments;
\nMedia. To legitimize the tool, the hacker uses press release distribution services (for example, EIN Presswire), whose publications are then automatically republished by partner news sites.<\/p>\n

Check Point researchers stressed that manipulating crowdsourced platforms signals a dangerous shift in social engineering tactics. The cross-platform reputation-boosting scheme, now proven effective, could be applied to mass distribution of ransomware and more advanced infostealers.
\nUSB worm self-propagated via hidden Windows shortcuts to steal cryptocurrency
\nMicrosoft experts detailed a self-replicating malware campaign targeting cryptocurrency owners.
\nInfection triggers when a victim opens a modified .LNK shortcut file on a USB drive. Once launched, the worm silently installs additional payloads from a command server hosted in the .onion domain.
\nThe malware scans the local system for user documents. Upon finding them, it hides the originals and replaces them with malicious shortcuts using identical filenames. As a result, the malware activates each time the user tries to open work files. For self-propagation, the worm creates a scheduled task that monitors ports. As soon as a new USB drive is inserted, it instantly copies itself to the external media.
\nInfection chain. Source: Microsoft.
\nThe stealer activates only if Task Manager is not running. It connects to the command server via a built-in Tor executable and checks the clipboard every half second for sensitive data:<\/p>\n

12- and 24-word BIP39 seed phrases;
\nbitcoin wallet addresses (including Legacy, P2SH, Bech32, and Taproot), as well as Ethereum, Tron, and Monero.<\/p>\n

When a copied address is detected, the program immediately swaps it for the attacker\u2019s. To fool the victim, the algorithm selects attacker wallets with starting characters that visually match the originals.
\nBeyond clipboard hijacking, every ten seconds the malware takes five screenshots and sends them to the attackers using curl. On a specific server command, it can download and execute arbitrary JavaScript on the infected machine.
\nThis USB worm\u2019s activity has been observed continuously since at least February. Researchers emphasized that the clearest indicators of compromise are behavioral rather than signature-based: suspicious background activity of wscript.exe and cscript.exe, unexpected launches of curl, PowerShell and cmd.exe, and unauthorized network connections to localhost:9050 (Tor\u2019s default proxy port).
\nSouth Korean law enforcement dismantled crypto laundering network for Cambodian syndicate
\nLaw enforcement in South Korea detained 23 suspects in a case involving money laundering for a Cambodian phishing organization, Newsis reported.
\nThe scheme operated through a complex transaction-routing network using both domestic South Korean and overseas crypto exchanges. Investigators said that from February 2024 to April 2025 the group moved about 11.1 million USDT.
\nPolice highlighted the vast scale of the infrastructure: roughly 11,300 different accounts were used for laundering. These transit accounts were directly linked to stolen funds totaling about $17 million obtained across 265 incidents.
\nPolice raids seized illicit proceeds worth 650 million won (about $430,000). The operation\u2019s active phase is not yet complete: the suspected organizer remains at large. An Interpol Red Notice has been issued for him, enabling international search and extradition.
\nResearchers found a new Android trojan that steals cryptocurrency
\nSecurity researchers at Zimperium discovered an Android trojan aimed at stealing cryptocurrency.
\nAccording to analysts, the Rokarolla malware supports 137 remote commands. Its toolkit can capture PIN codes, read and send SMS, manipulate the clipboard to steal digital assets, and forcibly disable the OS\u2019s built-in protections.
\nThe malware spreads via malicious websites masquerading as installers for popular services like TikTok and Google Chrome.
\nInitially, the victim downloads an app that visually imitates the Google Play Protect system component. Using this disguise, the dropper employs social engineering to trick the user into granting Accessibility permissions. Once granted, the malware deploys the main payload and immediately disables the real Play Protect scanner.
\nRokarolla requesting additional permissions. Source: Zimperium.
\nRokarolla downloads fake HTML login pages from its server for each active app on its target list. When the victim opens a legitimate crypto wallet, the trojan instantly overlays it with a fake window and captures all entered credentials.
\nAn additional overlay precisely imitates the standard Android lock screen. This allows the malware to steal the PIN, password, or pattern, giving operators control of the smartphone even when it is locked. To steal cryptocurrency, the trojan uses a built-in clipper that silently monitors the clipboard and replaces copied wallet addresses with the attackers\u2019 details, redirecting transactions.
\nTo bypass two-factor authentication, Rokarolla reads all SMS on the device and can send messages itself, intercepting one-time banking codes. By setting itself as the default app for calls and SMS, the trojan can block incoming calls \u2014 meaning a warning call from a bank anti-fraud system may never reach the victim.
\nExperts emphasized that the main protection against such threats is heightened caution when granting Accessibility permissions, as they trigger the entire attack chain.
\nCrypto scammers used couriers to collect cash
\nAttackers have begun hiring couriers to collect funds from victims whose transactions are blocked by bank security systems. The FBI reported the new tactic used by \u201cpig butchering\u201d crypto schemes in a public service announcement.
\nThese scams usually start when fraudsters contact potential victims via social networks, dating sites, and messengers, build trust, and then lure them into fake investment schemes.
\nAfter convincing the victim to withdraw cash (for example, under the pretext of a temporary account \u201cfreeze\u201d), scammers send a courier to collect it. Identification is done using a prearranged password or the serial number of a specific dollar bill. After receiving the money, the scammers simulate an increase in the victim\u2019s virtual wallet balance and restart the cycle, demanding new payments to cover fictional \u201cwithdrawal taxes.\u201d
\nAccording to FBI data for 2025, cryptocurrency and investment fraud remains \u201cthe most devastating form\u201d of cybercrime in the United States, accounting for 49% of all incidents with total losses of $8.6 billion.
\nVulnerability in wireless earbuds let hackers eavesdrop on iPhone users
\nApple released a firmware update for Beats Studio Buds wireless earbuds that fixes a high-severity vulnerability.
\nThe flaw, reported by SentinelOne in January, allowed attackers to connect to the device covertly and use the built-in microphone for espionage.
\nTracked as CVE-2025-20701, the issue stems from improper authorization in a Bluetooth audio SDK from chipmaker Airoha. The defect lets an attacker within Bluetooth range remotely connect their equipment to the earbuds without the user\u2019s knowledge or consent \u2014 provided the headset is not yet paired and is actively seeking connections. The vulnerability has been addressed in Beats firmware version 1B211.
\nAccording to researchers, the exploit can be triggered over standard Bluetooth or the low-energy protocol (BLE) without any authentication. Beyond eavesdropping, the attack gives near-complete control over the device: it allows reading and rewriting the earbuds\u2019 RAM and flash memory. Attackers can also hijack established trust relationships with previously paired smartphones, enabling more complex multi-stage attacks.
\nAlso on ForkLog:<\/p>\n

An outdated contract on the Aztec network was hacked for $2 million.
\nKentucky, following other states, filed a lawsuit against Polymarket.
\nThe UK will ban social networks for children under 16.
\nRussia\u2019s Supreme Court recognized cryptocurrency as an object of theft.
\nBitbank threatened blocks over transactions related to Polymarket.<\/p>\n

What to read this weekend?
\nIdeas that change the world almost always emerge on the periphery \u2014 among people their contemporaries consider eccentrics. In a new ForkLog feature, we explore why pioneers like Jack Parsons often remain in the shadow of the revolutions they sparked.<\/p>\n

\t\t\t\tFollow ForkLog on social media<\/p>\n

Found a mistake in the text? Select it and press CTRL+ENTER<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

USB worm targeted crypto holders; Apple fixed critical Beats Studio Buds flaw and more cybersecurity…<\/p>\n","protected":false},"author":1,"featured_media":234098,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/forklog.com\/wp-content\/uploads\/img-66d050fbc289a484-4082036415917875.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,31,35,32,25,27],"class_list":["post-234097","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-exploit","tag-hacker","tag-malware","tag-phishing","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234097"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=234097"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234097\/revisions"}],"predecessor-version":[{"id":234099,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234097\/revisions\/234099"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/234098"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=234097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=234097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=234097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}