AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Cybersecurity researchers have uncovered a new financially motivated phishing campaign leveraging generative AI-powered website builders like DeepSite AI and BlackBox AI to create convincing replicas of Brazilian government agency websites. The fraudulent sites mimic Brazil's State Department of Traffic and Ministry of Education, tricking unsuspecting users into submitting sensitive personal data and making unauthorized payments through the country's PIX payment system, according to Zscaler ThreatLabz. These phishing pages are artificially boosted using search engine optimization (SEO) poisoning techniques to increase their visibility and likelihood of victim engagement. Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements typical of authentic websites, and TailwindCSS styling, differing from traditional phishing kits, said Zscaler researchers Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas. The attackers serve bogus forms designed to collect sensitive information including Cadastro de Pessoas Físicas (CPF) numbers (Brazilian taxpayer IDs), residential addresses, and then coerce victims into making a one-time payment of 87.40 reals (~$16) via PIX, under false pretenses such as completing psychometric or medical exams or securing job offers. To enhance credibility, the phishing pages progressively request additional data, mimicking legitimate site behavior. CPF numbers submitted are validated through a backend API controlled by the threat actors, which also auto-fills related personal information on the phishing page. Zscaler noted the attackers may have sourced CPF numbers and user details from data breaches or publicly exposed APIs, using this data to increase the phishing campaign's success. While these campaigns currently steal relatively small sums, similar tactics could be scaled for far greater damage, Zscaler warned.

Mass Mailing Campaign Distributes Efimer Trojan to Steal Cryptocurrency

In a related development, Brazil has been targeted by a widespread malspam campaign impersonating lawyers from a major company to distribute a malicious script called Efimer, designed to steal victims' cryptocurrency. Russian cybersecurity firm Kaspersky detected this campaign in June 2025, with the malware's earliest versions dating back to October 2024 and spreading through infected WordPress websites. The emails falsely claimed the recipient's domain infringed on the sender's rights, researchers Vladimir Gursky and Artem Ushkov explained. Efimer propagates by compromising WordPress sites, hosting malicious files, and using torrents as distribution vectors. Efimer communicates with its command-and-control (C2) server over the TOR network and can extend its capabilities with scripts that brute-force WordPress passwords and harvest email addresses for future spam campaigns. The infection chain involves emails containing ZIP archives with password-protected files. When opened, a malicious Windows Script File (WSF) installs Efimer by saving two files, "controller.js" (the trojan) and "controller.xml," and schedules tasks on the victim's machine. The "controller.js" acts as a clipper malware, replacing cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses. It can also capture screenshots and execute additional payloads from the C2 server via a TOR proxy client installed on the infected system. Kaspersky also identified a second Efimer variant with anti-virtual machine features that scans browsers like Google Chrome and Brave for cryptocurrency wallet extensions (Atomic, Electrum, Exodus, etc.) and exfiltrates data back to the attackers. Telemetry estimates over 5,000 users have been impacted, primarily in Brazil, India, India, Spain, Russia, Italy, Germany, the UK, Canada, France, and Portugal. Efimer's primary goal is to steal and swap cryptocurrency wallets, but it also compromises WordPress sites and distributes spam, creating a persistent malicious infrastructure, the researchers said. The campaign targets both individual users (using torrent bait for popular movies) and corporate environments (sending false infringement claims).

---

Frequently Asked Questions (FAQ)

Phishing Scams and AI

Q: How are AI tools being used in phishing attacks? A: AI tools like DeepSite AI and BlackBox AI are being used to create highly convincing replicas of legitimate websites, making it harder for users to distinguish between real and fraudulent sites. Generative AI can also be used to craft more persuasive phishing messages. Q: What are SEO poisoning techniques used in phishing? A: SEO poisoning involves manipulating search engine results to push malicious or phishing websites higher in search rankings. This increases the visibility of fraudulent sites, making them more likely to be discovered by unsuspecting users. Q: What sensitive information is being collected in these phishing scams? A: Scammers are collecting sensitive personal data such as CPF numbers (Brazilian taxpayer IDs), residential addresses, and financial details, often by tricking users into making payments through systems like PIX.

The Efimer Trojan

Q: What is the Efimer Trojan and what does it do? A: The Efimer Trojan is a piece of malware distributed through malspam campaigns. Its primary function is to steal cryptocurrency by replacing legitimate cryptocurrency wallet addresses with those controlled by the attackers (clipper malware). Q: How is the Efimer Trojan spread? A: Efimer is spread through mass mailing (malspam) campaigns, often impersonating legitimate entities like lawyers. It also propagates by compromising WordPress websites and utilizing torrents for distribution. Q: What are the advanced capabilities of the Efimer Trojan? A: Beyond its clipper functionality, Efimer can also capture screenshots, execute additional payloads, brute-force WordPress passwords, and harvest email addresses for future spam campaigns. One variant specifically targets browser extensions for cryptocurrency wallets. Q: How many people have been affected by the Efimer Trojan? A: Telemetry suggests that over 5,000 users have been impacted by the Efimer Trojan, with a primary focus on Brazil but also affecting users in India, Spain, Russia, Italy, Germany, the UK, Canada, France, and Portugal.

---

Crypto Market AI's Take

The convergence of advanced AI in cybersecurity and the persistent threat of cryptocurrency theft highlights a critical need for robust digital defenses. This report underscores how sophisticated generative AI tools are being weaponized to enhance phishing campaigns, making them more convincing and harder to detect. Simultaneously, the Efimer Trojan demonstrates the ongoing evolution of malware targeting digital assets, utilizing techniques like clipboard hijacking and TOR network communication for stealth. At Crypto Market AI, we are at the forefront of leveraging AI for enhanced security and market intelligence. Our platform's focus on advanced analytics and secure trading environments aims to equip users with the tools necessary to navigate the complex and often dangerous digital asset landscape. Understanding these threats is the first step in safeguarding your assets. For those looking to deepen their knowledge of cryptocurrency security and trading best practices, our resources on AI-driven trading strategies and secure digital asset management offer valuable insights.

More to Read:

• AI Tools Revolutionize Phishing Scams: Deepfake Voices and Generative Text
• The Rise of AI-Powered Malware: Protecting Your Digital Assets
• Navigating Cryptocurrency Scams: A Guide to Staying Safe

---

Source: Originally published by The Hacker News on August 8, 2025.