AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Cybersecurity researchers have uncovered a sophisticated campaign leveraging generative artificial intelligence (AI) tools to create phishing websites that impersonate Brazilian government agencies. These sites trick users into divulging sensitive information and making fraudulent payments via Brazil's PIX payment system. The attackers use legitimate AI-powered website builders such as DeepSite AI and BlackBox AI to generate convincing replica sites mimicking Brazil's State Department of Traffic and Ministry of Education. These phishing pages are artificially boosted through search engine optimization (SEO) poisoning to increase their visibility and lure more victims, according to Zscaler ThreatLabz. "Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and trends like TailwindCSS styling, which is different from the traditional phishing kits used by threat actors," said Zscaler researchers Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas. The fraudulent sites present fake forms to collect personal data including Cadastro de Pessoas Físicas (CPF) numbers, Brazilian taxpayer IDs, and residential addresses. Victims are then coerced into making a one-time payment of 87.40 reals (approximately $16) via PIX under false pretenses such as completing a psychometric or medical exam or securing a job offer. To enhance credibility, the phishing pages progressively request information in stages, mimicking real government websites. The attackers also validate CPF numbers through a backend API they control, which auto-fills the phishing forms with data linked to the CPF. Zscaler notes it is possible the attackers obtained CPF numbers and other user details from previous data breaches or publicly exposed APIs, which they then use to increase the legitimacy of their phishing attempts. "While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage," Zscaler warned.

Efimer Trojan Mass Mailing Campaign Steals Cryptocurrency

In a related development, Brazil has been targeted by a mass mailing campaign distributing a malicious script called Efimer, designed to steal cryptocurrency from victims. Russian cybersecurity firm Kaspersky detected this campaign in June 2025, with early versions of the malware traced back to October 2024 and spread via compromised WordPress websites. The phishing emails impersonate lawyers from a major company, falsely claiming the recipient's domain infringes on the sender's rights. The emails contain password-protected ZIP archives that, when opened, execute a Windows Script File (WSF) that infects the system with Efimer. Efimer propagates through infected WordPress sites, email, and malicious torrent files. It communicates with its command-and-control (C2) server over the TOR network and can extend its capabilities by downloading additional scripts. These scripts can brute-force WordPress passwords and harvest email addresses for future spam campaigns. The malware installs a TOR proxy client and includes a clipper component that replaces cryptocurrency wallet addresses copied to the clipboard with addresses controlled by the attacker. It can also capture screenshots and execute further payloads received from the C2 server. Kaspersky also identified a second Efimer variant with anti-virtual machine (VM) features that scans browsers like Google Chrome and Brave for cryptocurrency wallet extensions such as Atomic, Electrum, and Exodus, exfiltrating the data back to the attackers. Based on telemetry, the campaign has impacted over 5,000 users, primarily in Brazil but also in India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal. "While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam," the researchers explained. "This allows it to establish a complete malicious infrastructure and spread to new devices." The campaign targets both individual users and corporate environments, using torrent files as bait for individuals and legal threats for companies.

---

Frequently Asked Questions (FAQ)

What are the key AI tools used in this phishing scam?

The phishing campaign reportedly utilizes legitimate AI-powered website builders like DeepSite AI and BlackBox AI to create convincing fake government websites.

How do these AI-powered phishing sites operate?

These sites mimic official Brazilian government agencies, presenting fake forms to collect sensitive personal data such as CPF numbers and addresses. They then trick victims into making fraudulent PIX payments under false pretenses.

What is the Efimer Trojan and what does it do?

Efimer is a malicious script distributed via mass mailing campaigns. Its primary function is to steal cryptocurrency by replacing legitimate wallet addresses with attacker-controlled ones when users copy them to their clipboard. It can also harvest email addresses and brute-force WordPress passwords.

How is Efimer distributed?

Efimer spreads through various channels, including infected WordPress websites, phishing emails, and malicious torrent files.

What kind of personal information is being targeted by the phishing scams?

The phishing scams aim to steal sensitive personal data including Cadastro de Pessoas Físicas (CPF) numbers, Brazilian taxpayer IDs, and residential addresses.

How are the phishing sites made more credible?

The attackers enhance credibility by requesting information in stages, mimicking authentic government websites, and by using a backend API to validate CPF numbers and auto-fill phishing forms.

What is "SEO poisoning" in the context of these scams?

SEO poisoning is used to artificially increase the visibility of the phishing websites in search engine results, thereby luring more unsuspecting victims.

What is the monetary impact on victims?

While individual fraudulent payments are relatively small (around $16), the campaign's sophistication and scale suggest a significant potential for broader financial damage.

How many victims have been affected by the Efimer Trojan?

Kaspersky's telemetry indicates that over 5,000 users have been impacted by the Efimer Trojan campaign, primarily in Brazil but also across several other countries.

Crypto Market AI's Take

This report highlights a concerning trend where generative AI is being weaponized to create more sophisticated and convincing phishing attacks, alongside malware like the Efimer Trojan that directly targets cryptocurrency. The use of AI in phishing campaigns, particularly for impersonating government entities and leveraging tactics like SEO poisoning, demonstrates a growing sophistication in cybercrime. This underscores the critical need for advanced cybersecurity measures and heightened user awareness. As AI becomes more integrated into our digital lives, understanding its potential for misuse is paramount. For those looking to navigate the cryptocurrency landscape safely, staying informed about the latest security threats and best practices is essential. Our platform focuses on providing AI-powered market intelligence and secure trading solutions to help users protect their assets and make informed decisions in an evolving digital economy.

More to Read:

• AI Tools Used in Sophisticated Phishing Attacks
• Understanding and Preventing Cryptocurrency Scams
• How to Secure Your Crypto Wallet

Source: The Hacker News