Cybersecurity researchers have uncovered a sophisticated phishing campaign leveraging generative AI tools like DeepSite AI and BlackBox AI to create convincing replica websites impersonating Brazilian government agencies. These lookalike sites mimic Brazil's State Department of Traffic and Ministry of Education to deceive users into making fraudulent payments via the PIX payment system. The attackers employ search engine optimization (SEO) poisoning techniques to boost the visibility of these fake sites, increasing the chances of victim engagement. Analysis by Zscaler ThreatLabz revealed telltale signs of generative AI use, such as overly detailed developer comments, non-functional elements typical of genuine sites, and TailwindCSS styling—distinct from traditional phishing kits. The phishing pages collect sensitive personal data, including Cadastro de Pessoas Físicas (CPF) numbers, taxpayer IDs, and residential addresses. Victims are then tricked into paying 87.40 Brazilian reals (approximately $16) via PIX under false pretenses like psychometric or medical exams or securing job offers. To enhance credibility, the phishing sites progressively request more information, validating CPF numbers through a backend API controlled by the attackers. Zscaler researchers suggest that attackers may have sourced CPF numbers and user data from prior breaches or publicly exposed APIs to increase the scam's authenticity. Although current financial theft amounts are relatively small, the potential for more damaging attacks remains significant.

Efimer Trojan Mass Mailing Campaign Steals Cryptocurrency

In a related threat, Brazil has been targeted by a mass mailing campaign distributing the Efimer Trojan, a malicious script designed to steal cryptocurrency wallets. Detected by Russian cybersecurity firm Kaspersky in June 2025, Efimer has been active since October 2024 and spreads through infected WordPress sites, phishing emails, and malicious torrent files. The phishing emails impersonate lawyers from major companies, falsely accusing recipients of domain infringement. The emails contain password-protected ZIP archives with malicious Windows Script Files (WSF) that install Efimer upon execution. Victims see a fake error message to distract them while the malware installs itself. Efimer installs a clipper malware component, "controller.js," which replaces cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses. It also captures screenshots and can execute additional payloads from its command-and-control (C2) server via the TOR network. A second Efimer variant includes anti-virtual machine (VM) features and scans browsers like Google Chrome and Brave for cryptocurrency wallet extensions such as Atomic, Electrum, and Exodus, exfiltrating this data to the attackers. Kaspersky estimates over 5,000 users have been impacted, primarily in Brazil but also in India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal. Efimer's infrastructure also enables it to compromise WordPress sites to spread spam and malware further. This campaign targets both individual users and corporate environments by using torrent files as bait for individuals and legal threat emails for businesses.

Frequently Asked Questions (FAQ)

Phishing Campaigns and AI

Q: How are generative AI tools being used in this phishing campaign? A: Generative AI tools like DeepSite AI and BlackBox AI are being used to create highly convincing replica websites that impersonate legitimate Brazilian government agencies, making it harder for users to distinguish them from real sites. Q: What specific Brazilian agencies are being impersonated? A: The phishing campaign impersonates Brazil's State Department of Traffic and the Ministry of Education. Q: How are attackers increasing the visibility of these phishing sites? A: Attackers are employing search engine optimization (SEO) poisoning techniques to rank these fake websites higher in search results, thereby increasing their visibility and the likelihood of users finding and interacting with them. Q: What are some indicators that generative AI was used in creating these phishing sites? A: Zscaler ThreatLabz observed signs such as overly detailed developer comments, the inclusion of non-functional elements commonly found on genuine websites, and the use of TailwindCSS styling, which are departures from traditional phishing kits. Q: What kind of sensitive personal data are the phishing pages collecting? A: The phishing pages are collecting sensitive personal data including CPF numbers (Brazil's taxpayer identification number), taxpayer IDs, and residential addresses. Q: What are the false pretenses used to trick victims into making payments? A: Victims are lured into making fraudulent payments for reasons such as fake psychometric or medical exams, or to secure bogus job offers. Q: How do the attackers validate user information to increase the scam's authenticity? A: The phishing sites progressively request more information and validate CPF numbers through a backend API controlled by the attackers, adding a layer of perceived legitimacy.

Efimer Trojan and Cryptocurrency Theft

Q: What is the Efimer Trojan and what is its primary function? A: The Efimer Trojan is a malicious script designed to steal cryptocurrency wallets. It achieves this by intercepting and replacing cryptocurrency wallet addresses that users copy to their clipboard with addresses controlled by the attackers. Q: How does the Efimer Trojan spread? A: The Efimer Trojan spreads through various channels, including infected WordPress websites, phishing emails, and malicious torrent files. Q: What is the tactic used in the phishing emails distributing the Efimer Trojan? A: The phishing emails impersonate lawyers from major companies, falsely accusing recipients of domain infringement, and contain password-protected ZIP archives with malicious Windows Script Files (WSF) that install the Trojan. Q: Besides wallet theft, what other capabilities does Efimer have? A: Efimer can also capture screenshots and execute additional malicious payloads from its command-and-control (C2) server via the TOR network. Q: What additional features does a second variant of Efimer include? A: A second variant includes anti-virtual machine (VM) features and scans browsers for cryptocurrency wallet extensions, exfiltrating this data to attackers. Q: Which countries have been primarily affected by the Efimer Trojan campaign? A: While Brazil is the primary target, the campaign has also impacted users in India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

Crypto Market AI's Take

The increasing sophistication of phishing campaigns, now amplified by generative AI, presents a significant challenge for cybersecurity. Attackers leveraging tools like DeepSite AI and BlackBox AI demonstrate a growing capability to mimic legitimate entities with remarkable accuracy, making it harder for users to discern genuine communications from fraudulent ones. This trend underscores the critical need for advanced security solutions that can detect AI-generated phishing attempts. Similarly, the spread of malware like the Efimer Trojan, specifically targeting cryptocurrency wallets, highlights the evolving landscape of cyber threats in the digital asset space. The methods used—from sophisticated social engineering in phishing emails to the technical capabilities of clipboard hijacking and browser scraping—show a determined effort to illicitly acquire digital assets. For individuals and businesses operating in the crypto market, staying informed and employing robust security practices, such as using reputable wallet solutions and being vigilant against phishing attempts, is paramount. Our platform focuses on providing users with the tools and insights needed to navigate this complex environment, offering features that can help identify suspicious activities and secure digital assets. For those looking to understand the broader trends in crypto security and AI's role in both offense and defense, exploring our insights on AI Agents in Cybersecurity and our guide to Secure Cryptocurrency Trading can provide valuable context.

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Efimer Trojan Mass Mailing Campaign Steals Cryptocurrency

Frequently Asked Questions (FAQ)

Phishing Campaigns and AI

Efimer Trojan and Cryptocurrency Theft

Crypto Market AI's Take

More to Read: