Efimer Trojan

The Efimer Trojan has emerged as a dangerous crypto-stealing malware spreading through Brazil and beyond. Initially observed in late 2024 and gaining traction in mid-2025, it employs mass mailing campaigns, compromised WordPress sites, and malicious torrents to infect victims. Once inside a system, Efimer targets cryptocurrency transactions, exfiltrates sensitive data, and even helps attackers expand their infrastructure by brute-forcing websites and harvesting email addresses. Its evolving capabilities, including anti-VM features and browser extension theft, make it a versatile threat to both individuals and organizations.

AI-Powered Phishing Campaigns in Brazil

Cybersecurity analysts have recently uncovered a malicious campaign in Brazil where threat actors are misusing legitimate AI-driven web development platforms such as DeepSite AI and BlackBox AI. These tools are exploited to create convincing replicas of official government portals, including those of the State Department of Traffic and the Ministry of Education.

The fraudulent portals trick unsuspecting visitors into making unauthorized payments through the PIX payment system while harvesting sensitive data. The end goal is to acquire Cadastro de Pessoas Físicas (CPF) numbers, taxpayer IDs, residential details, and coerce victims into transferring 87.40 Brazilian reais ($16) under the pretense of mandatory medical or psychometric exams.

SEO Poisoning and API Abuse

To maximize reach, the fake sites are promoted using search engine optimization (SEO) poisoning, pushing them higher in search results. Closer inspection of the code reveals the fingerprints of AI-generated sites, such as explanatory developer notes, unused elements, and a reliance on TailwindCSS styling.

To enhance credibility, the phishing pages use staged forms, gradually requesting more data while validating CPF numbers against an attacker-controlled API. This backend service auto-populates the phishing pages with authentic-looking personal information. Investigators suggest that the attackers likely obtained CPF records through previous data breaches or exploited publicly exposed APIs to improve the believability of their scheme.

Rise of the Efimer Trojan

Parallel to these phishing campaigns, Brazil is also experiencing a large-scale malspam operation delivering the Efimer Trojan. Detected in June 2025 but with variants dating back to October 2024, the malware initially spreads through emails impersonating lawyers and alleging domain name infringements.

The phishing emails arrive with ZIP attachments that include:

• A password-protected archive
• A decoy file that contains the password
• A malicious Windows Script File (WSF)

Once executed, the WSF installs Efimer, displays a fake error message, and quietly drops two additional files: controller.js (the main Trojan) and controller.xml (the configuration file). The script then creates a scheduled task for persistence.

Technical Breakdown of Efimer

Efimer functions as a crypto-focused Trojan with multiple layers of malicious activity:

1. Clipping Malware: Replaces copied cryptocurrency wallet addresses with attacker-controlled ones.
2. Data Theft: Takes screenshots and retrieves instructions from its TOR-based command-and-control (C2) server.
3. Propagation Tools: Uses brute-force scripts to compromise WordPress sites and harvests email addresses to expand spam campaigns.
4. Spam Module: Automatically fills out contact forms on websites to push malicious links further.

A second variant has been found with anti-virtual machine features and browser-scanning capabilities. It specifically targets crypto wallet extensions in Google Chrome and Brave, including Atomic, Electrum, and Exodus, and sends the harvested data to its operators.

Global Reach and Impact

Telemetry shows that Efimer has already compromised over 5,000 users, with infections spreading beyond Brazil to countries like India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

The Trojan’s dual distribution strategy is noteworthy:

• Individual Users: Tricked into downloading malicious torrents posing as popular movies.
• Corporate Targets: Approached through spear-phishing emails alleging unauthorized trademark or copyright use.

By combining data theft, cryptocurrency fraud, and infrastructure compromise, Efimer represents a highly versatile threat with the potential to impact both personal users and businesses.