A USB worm attacked cryptocurrency holders, Apple fixed a dangerous vulnerability in the Beats Studio Buds, and other cybersecurity events

We have collected the most important news from the world of cybersecurity over the past week.
- A crypto clipper was spread using fake reputation on GitHub and YouTube.
- A USB worm self-propagated through hidden Windows shortcuts to steal cryptocurrency.
- South Korean law enforcement dismantled a cryptocurrency laundering network serving a Cambodian syndicate.
- Researchers discovered a new Android trojan for stealing cryptocurrency.
A crypto clipper was spread using fake reputation on GitHub and YouTube
An unknown attacker launched a large-scale campaign to distribute malware, using legitimate marketing methods to create a fake "reputation economy." This was reported by specialists at Check Point Research.
The ultimate goal of the attacks is to deploy crypto clippers disguised as trading tools in the Solana and Pump.fun ecosystems, as well as software for predicting betting outcomes.
According to the experts, the clipper itself is written in Rust and targets the Windows and macOS operating systems. The malware covertly and continuously monitors the device's clipboard. Upon detecting a copied cryptocurrency wallet address, the software instantly swaps it for the attacker's details, redirecting the digital assets.
To gain the trust of victims — mainly crypto investors and online gamers — the hacker built a complex cross-platform infrastructure of "Ghost Networks." Analysts recorded coordinated activity on the VirusTotal platform: a cluster of fake accounts massively left positive comments and likes to falsely classify malicious files as safe.
Similar manipulation of metrics is also used on other resources:
- GitHub and SourceForge. The attacker manages a network of accounts for mutual promotion of repositories. On SourceForge, the download counter was artificially inflated to 44,000 using a farm of Android devices;
- YouTube. A channel with more than 91,000 subscribers is used to advertise the software. The tutorial videos are created using AI voice generators and accompanied by inflated positive comments;
- Media. To legitimize the tool, the hacker uses press-release distribution services (for example, EIN Presswire), whose publications are then automatically reprinted by partner news sites.
Check Point researchers stressed that the manipulation of crowdsourcing platforms points to a dangerous shift in social engineering tactics. The successfully tested scheme of cross-platform reputation inflation could in the future be applied to mass-distribute ransomware and more sophisticated infostealers.
A USB worm self-propagated through hidden Windows shortcuts to steal cryptocurrency
Microsoft experts disclosed details of a campaign distributing self-replicating malware aimed at cryptocurrency holders.
The infection process is triggered when the victim opens a modified shortcut file (.LNK) on a USB drive. After launch, the worm covertly installs additional payloads from a command server located in the .onion domain zone.
The malware scans the local system for user documents. Upon finding them, the program hides the originals and replaces them with malicious shortcuts that have identical names. As a result, the software activates every time the user tries to open their working files. To self-propagate, the worm creates a scheduled task that monitors ports. As soon as a new USB drive is inserted into the computer, the virus instantly copies itself to the external medium.
The stealer enters its active phase only if "Task Manager" is not running on the system. It establishes a connection with the command server through a built-in Tor executable and every half-second monitors the clipboard for sensitive data:
- 12- and 24-word BIP39 seed phrases;
- addresses of bitcoin wallets (including Legacy, P2SH, Bech32, and Taproot), Ethereum, Tron, and Monero.
Upon detecting a copied address, the program instantly swaps it for the attacker's details. To deceive the victim, the algorithm selects wallets whose initial characters visually match the original ones.
In addition to clipboard hijacking, every ten seconds the virus takes five screenshots and sends them to the hackers using the Curl utility. On a special command from the server, the software can download and execute arbitrary JavaScript scripts on the infected machine.
Activity from this USB worm has been continuously recorded since at least February. Researchers stressed that the most obvious indicators of infection are behavioral rather than signature-based. The main "red flags" of a compromise are suspicious background activity of the wscript.exe and cscript.exe processes, unexpected launches of Curl, PowerShell, and cmd.exe, as well as unauthorized network connections to localhost:9050 (the standard port of the Tor proxy server).
South Korean law enforcement dismantled a cryptocurrency laundering network serving a Cambodian syndicate
South Korean law enforcement detained 23 suspects in a case involving money laundering for a Cambodian phishing organization. This was reported by Newsis.
The scheme was carried out through a complex transaction-routing network using both domestic South Korean and foreign cryptocurrency exchanges. According to the investigation, from February 2024 to April 2025 the group moved about 11.1 million USDT.
The police pointed to the colossal scale of the infrastructure involved: to launder money, the attackers used about 11,300 different accounts. These transit accounts were directly linked to stolen funds totaling roughly $17 million, which the criminals obtained as a result of 265 incidents.
During the police raids, criminal proceeds amounting to 650 million won (about $430,000) were seized. At the same time, the active phase of the law enforcement operation is not yet complete: the suspected organizer of the group is still at large. A "red notice" has already been issued for him by Interpol, implying an international search and extradition.
Researchers discovered a new Android trojan for stealing cryptocurrency
Security researchers at Zimperium discovered a trojan for Android aimed at stealing cryptocurrency.
According to analysts, the arsenal of the Rokarolla malware comprises 137 remote commands. The toolkit allows it to intercept PIN codes, read and send SMS, manipulate the clipboard to steal digital assets, and forcibly disable the OS's built-in protection mechanisms.
The software is distributed through malicious websites that masquerade as installers for popular services such as TikTok and Google Chrome.
In the first stage, the victim downloads a program that visually mimics the Google Play Protect system component. Using this disguise, the dropper uses social engineering to force the user to grant it access to "Accessibility." Once permission is obtained, the malware deploys its main payload and first of all disables the real Play Protect scanner.
Rokarolla downloads fake HTML authorization pages from its server for each active application on the target list. When the victim opens a legitimate crypto wallet, the trojan instantly overlays it with a fake window and intercepts all entered credentials.
In addition, a separate overlay precisely mimics the standard Android lock screen. This allows the software to steal a PIN code, password, or pattern key, giving the operators the ability to control the smartphone even in a locked state. To steal cryptocurrency, the trojan employs a built-in clipper: it covertly monitors the clipboard and swaps copied wallet addresses for the attackers' details, redirecting transactions.
To bypass two-factor authentication, Rokarolla reads all SMS on the device and can send messages on its own, intercepting one-time banking codes. Moreover, by setting itself as the default app for calls and SMS, the trojan is able to block incoming calls — so a warning call from the bank's anti-fraud system simply will not reach the owner.
Experts stressed that the main defense against such threats is heightened vigilance when granting permissions to "Accessibility," since it is precisely these that trigger the entire attack chain.
Crypto scam organizers used couriers to collect cash
Attackers have begun hiring couriers to collect funds from victims whose transactions are blocked by banking security systems. The FBI reported this new tactic of operators of cryptocurrency "pig butchering" schemes.
Usually such scams begin with fraudsters contacting potential victims through social networks, dating sites, and messengers, gaining their trust, and then luring them into fake investment schemes.
Having convinced the victim to withdraw cash (for example, under the pretext of a temporary account "freeze"), the fraudsters send a courier to the person who trusted them. A pre-arranged password or the serial number of a specific dollar bill is used for identification. Having received the money, the hackers simulate an increase in the balance of the victim's virtual wallet and start the cycle anew, demanding new contributions to pay fictitious "taxes" on fund withdrawals.
According to FBI data for 2025, cryptocurrency and investment fraud remains the "most destructive form" of cybercrime in the United States: it accounted for 49% of all incidents, with total damage of $8.6 billion.
A vulnerability in wireless earbuds allowed hackers to eavesdrop on iPhone users
Apple released a firmware update for the Beats Studio Buds wireless earbuds that closes a high-severity vulnerability.
The flaw, reported by SentinelOne experts back in January, allowed attackers to secretly connect to the device and use the built-in microphone for spying.
The problem, assigned the identifier CVE-2025-20701, is related to incorrect authorization in the Bluetooth audio SDK from chip developer Airoha. The defect allows a hacker within Bluetooth range to remotely connect their own earbud equipment without the user's knowledge or consent — provided the headset is not yet paired and is actively searching for connections. The vulnerability was successfully fixed in Beats firmware version 1B211.
According to specialists, the exploit can be activated through standard Bluetooth or the low-energy protocol (BLE) without any authentication. In addition to eavesdropping, the attack gives attackers almost complete control over the device: it allows them to read and overwrite the earbuds' RAM and flash memory. Moreover, hackers can hijack the established trust relationships with previously paired smartphones, which opens a vector for developing more complex multi-stage attacks.
Also on ForkLog:
- An outdated contract on the Aztec network was hacked for $2 million.
- Kentucky, following other states, filed a lawsuit against Polymarket.
- The United Kingdom will ban social media for children under 16.
- The Supreme Court of the Russian Federation recognized cryptocurrency as an object of theft.
- Bitbank threatened blocks for transactions linked to Polymarket.
What to read on the weekend?
Ideas that change the world are almost always born on the periphery — among people whom their contemporaries consider eccentrics. In a new article, ForkLog explored why pioneers, such as Jack Parsons, often remain in the shadow of the revolutions they have brought about.
Source: ForkLog
Cryptocurrency News
Random quote about money
"Если вы в состоянии устранить проблему с помощью денег, значит, проблемы у вас нет."
















* to search the proxy database, just enter a country name, e.g. Russia, USA, Thailand