AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims Cybersecurity researchers have uncovered a sophisticated campaign leveraging generative AI-powered website builders such as DeepSite AI and BlackBox AI to create convincing phishing sites impersonating Brazilian government agencies. These sites target unsuspecting users to steal sensitive data and illicitly collect payments via Brazil's PIX payment system. The attackers have replicated websites of Brazil's State Department of Traffic and Ministry of Education, using SEO poisoning techniques to boost their search engine rankings and increase victim reach, according to Zscaler ThreatLabz. Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements typical of authentic websites, and TailwindCSS styling, differing from traditional phishing kits. The phishing pages progressively collect sensitive personal information, including Cadastro de Pessoas Físicas (CPF) numbers, taxpayer IDs, and residential addresses. Victims are then tricked into making a one-time payment of 87.40 reals (~$16) via PIX under false pretenses such as completing psychometric or medical exams or securing job offers. To enhance credibility, the attackers validate CPF numbers through a backend API they control, which auto-fills victim data on the phishing forms. Zscaler notes this data may have been sourced from prior breaches or public APIs with leaked authentication keys. While these campaigns currently steal relatively small sums, they demonstrate how AI-powered phishing can scale and cause greater damage.

Efimer Trojan Mass Mailing Campaign Steals Cryptocurrency

In a related threat, Brazil is also targeted by a mass mailing campaign distributing the Efimer Trojan, a malicious script designed to steal cryptocurrency wallets. Detected by Russian cybersecurity firm Kaspersky in June 2025, Efimer has been active since October 2024 and spreads via infected WordPress sites and malicious email attachments. The campaign impersonates lawyers from a major company, falsely accusing recipients of domain infringement to lure victims into opening password-protected ZIP archives containing malicious Windows Script Files (WSF). When executed, these scripts install Efimer on the victim's machine. Efimer installs a scheduled task and drops "controller.js," a clipper malware that replaces copied cryptocurrency wallet addresses with attacker-controlled ones. It also captures screenshots and can execute additional payloads via the TOR network. A second Efimer variant includes anti-virtual machine features and scans browsers like Chrome and Brave for wallet extensions such as Atomic, Electrum, and Exodus, exfiltrating data back to the attackers. Kaspersky estimates over 5,000 users have been impacted, primarily in Brazil but also in India, Spain, Russia, Italy, Germany, the UK, Canada, France, and Portugal. Efimer not only steals and swaps crypto wallets but also compromises WordPress sites to distribute spam, enabling a persistent malicious infrastructure. The Trojan targets both individual users—using torrent files as bait—and corporate environments by sending fraudulent legal claims.

Frequently Asked Questions (FAQ)

AI-Powered Phishing Scams

Q: How are AI tools being used in the Brazilian phishing scam? A: AI tools like DeepSite AI and BlackBox AI are being used to create highly convincing phishing websites that mimic legitimate Brazilian government agencies. These tools help in generating realistic website layouts, content, and even code structures, making it harder for users to distinguish them from genuine sites. Q: What kind of information are these phishing scams trying to steal? A: The phishing scams are designed to steal sensitive personal information, including Cadastro de Pessoas Físicas (CPF) numbers, taxpayer IDs, and residential addresses. They also aim to illicitly collect payments through Brazil's PIX payment system under false pretenses. Q: How do the attackers increase the credibility of their phishing sites? A: Attackers enhance credibility by using SEO poisoning to improve search engine rankings, leading to wider reach. They also employ a backend API to validate CPF numbers, which auto-fills victim data on the phishing forms, creating a sense of legitimacy.

The Efimer Trojan and Cryptocurrency Theft

Q: What is the Efimer Trojan and how does it operate? A: The Efimer Trojan is a malicious script designed to steal cryptocurrency wallets. It spreads through compromised WordPress sites and malicious email attachments, often impersonating legal entities to trick victims into executing malicious Windows Script Files (WSF). Q: How does Efimer steal cryptocurrency? A: Efimer installs clipper malware that intercepts and replaces copied cryptocurrency wallet addresses with attacker-controlled ones. It also captures screenshots and can download additional malicious payloads via the TOR network. Some variants are designed to scan browser extensions for wallet data. Q: How many victims have been affected by the Efimer Trojan? A: Kaspersky estimates that over 5,000 users have been impacted by the Efimer Trojan campaign, primarily in Brazil, but also across several other countries. Q: What is the significance of Efimer compromising WordPress sites? A: By compromising WordPress sites, Efimer not only distributes its malware but also establishes a persistent malicious infrastructure that can be used for various nefarious purposes, including spam distribution.

Crypto Market AI's Take

This report highlights a concerning trend in cybercrime: the increasing sophistication of phishing and malware campaigns driven by readily available AI tools. The ability of generative AI to quickly create realistic phishing websites, coupled with malware like the Efimer Trojan capable of systematically stealing cryptocurrency, poses a significant threat to individuals and businesses alike. For those looking to secure their digital assets and stay informed about evolving threats, understanding the landscape of AI-powered cyberattacks is crucial. Our platform offers insights into AI-driven cybersecurity trends and provides tools to help safeguard your investments.

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Efimer Trojan Mass Mailing Campaign Steals Cryptocurrency

Frequently Asked Questions (FAQ)

AI-Powered Phishing Scams

The Efimer Trojan and Cryptocurrency Theft

Crypto Market AI's Take

More to Read: