Cybersecurity researchers have uncovered a new financially motivated campaign leveraging generative AI-powered website builders such as DeepSite AI and BlackBox AI to create convincing phishing pages impersonating Brazilian government agencies. The attackers have replicated websites of Brazil's State Department of Traffic and Ministry of Education to deceive users into making fraudulent payments via Brazil's PIX payment system. These fake sites are boosted through SEO poisoning techniques to increase their visibility and lure more victims, according to Zscaler ThreatLabz. Analysis of the phishing pages revealed telltale signs of generative AI use, including overly detailed developer comments, non-functional elements typical of real websites, and TailwindCSS styling—distinct from traditional phishing kits. The attackers aim to collect sensitive personal data such as Cadastro de Pessoas Físicas (CPF) numbers, taxpayer IDs, and residential addresses. Victims are tricked into paying 87.40 reals (~$16) via PIX under false pretenses like completing psychometric or medical exams or securing job offers. The phishing sites progressively request more information, mimicking legitimate site behavior, and validate CPF numbers through a backend API controlled by the attackers. Zscaler noted that attackers might have sourced CPF numbers and user details from data breaches or publicly exposed APIs to enhance the phishing pages' credibility. While current financial theft amounts are relatively small, the campaign’s techniques could enable more damaging attacks in the future. In a related threat, Brazil is also targeted by a malspam campaign distributing the Efimer Trojan, which steals cryptocurrency wallets. Detected by Kaspersky in June 2025, this malware has been active since October 2024 and spreads via infected WordPress sites and malicious email attachments. The campaign impersonates lawyers from a major company, falsely claiming domain infringement to lure victims. The malware propagates through compromised WordPress sites, malicious torrents, and email spam. Efimer communicates with its command-and-control (C2) server over the TOR network and can extend its capabilities with scripts that brute-force WordPress passwords and harvest email addresses for further spam campaigns. Infected emails contain password-protected ZIP files with malicious Windows Script Files (WSF). When executed, these scripts install Efimer components, including "controller.js," a clipper malware that replaces cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses. It can also take screenshots and execute additional payloads from the C2 server. A second version of Efimer includes anti-virtual machine features and scans browsers like Chrome and Brave for crypto wallet extensions such as Atomic, Electrum, and Exodus, exfiltrating data back to the attackers. Kaspersky estimates over 5,000 users have been impacted, primarily in Brazil but also in India, Spain, Russia, Italy, Germany, the UK, Canada, France, and Portugal. The malware targets both individual users and corporate environments, using torrent files as bait for individuals and legal threats for companies. This dual-threat landscape highlights the evolving tactics cybercriminals employ, combining AI-driven phishing with sophisticated malware to exploit cryptocurrency users.

Frequently Asked Questions (FAQ)

AI in Cybersecurity Threats

Q: How are generative AI tools being used in the latest phishing campaigns? A: Generative AI tools like DeepSite AI and BlackBox AI are being used to create highly convincing phishing pages that mimic legitimate websites, making it harder for users to distinguish them from real ones. Q: What specific Brazilian government agencies were impersonated in the phishing campaign? A: The phishing pages impersonated Brazil's State Department of Traffic and the Ministry of Education. Q: What payment system were the attackers targeting in Brazil? A: The attackers were targeting Brazil's PIX payment system for fraudulent payments. Q: Besides impersonating government agencies, what other methods are used to boost the visibility of phishing sites? A: Attackers are using SEO poisoning techniques to increase the visibility of these phishing sites. Q: What kind of sensitive information are the attackers trying to steal? A: They are trying to collect sensitive personal data such as Cadastro de Pessoas Físicas (CPF) numbers, taxpayer IDs, and residential addresses. Q: What is the Efimer Trojan, and what is its primary function? A: The Efimer Trojan is a malware that steals cryptocurrency wallets. It spreads through infected WordPress sites and malicious email attachments. Q: How does the Efimer Trojan replace cryptocurrency wallet addresses? A: It uses a clipper malware component that intercepts and replaces cryptocurrency wallet addresses copied to the clipboard with addresses controlled by the attackers. Q: What additional capabilities does the second version of the Efimer Trojan possess? A: The second version includes anti-virtual machine features and scans browsers for crypto wallet extensions to exfiltrate data.

Crypto Market AI's Take

The increasing sophistication of phishing and malware campaigns, particularly those leveraging AI, underscores the critical need for robust cybersecurity measures in the digital asset space. As cybercriminals adapt to new technologies, so too must individuals and platforms like ours prioritize security. Our platform is dedicated to providing users with secure and informed trading experiences, offering features that help mitigate risks. Understanding these evolving threats is crucial for protecting your digital assets. For insights into safeguarding your cryptocurrency, explore our guides on crypto security best practices.

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Frequently Asked Questions (FAQ)

AI in Cybersecurity Threats

Crypto Market AI's Take

More to Read: