AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Cybersecurity researchers have uncovered a sophisticated campaign leveraging generative AI-powered website builders like DeepSite AI and BlackBox AI to create convincing phishing pages that impersonate Brazilian government agencies. This financially motivated attack targets unsuspecting users by mimicking Brazil's State Department of Traffic and Ministry of Education. The fraudulent websites trick victims into making unauthorized payments through Brazil's PIX payment system. These phishing pages are artificially boosted using search engine optimization (SEO) poisoning techniques to increase their visibility and success rate. Zscaler ThreatLabz researchers Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas noted that the phishing sites exhibit signatures of generative AI tools, such as overly explanatory developer comments, non-functional elements typical of genuine websites, and TailwindCSS styling—distinct from traditional phishing kits. The attackers use these sites to collect sensitive personal information, including Cadastro de Pessoas Físicas (CPF) numbers (Brazilian taxpayer IDs), residential addresses, and more. Victims are then coerced into making a one-time payment of 87.40 reals (approximately $16) via PIX, under false pretenses such as completing psychometric or medical exams or securing job offers. To enhance credibility, the phishing pages progressively request additional information, mirroring legitimate site behavior. The CPF numbers submitted are validated through a backend API controlled by the threat actors, which automatically populates the phishing page with data linked to the CPF number. Zscaler researchers suspect that attackers may have sourced CPF numbers and user details from prior data breaches or publicly exposed APIs, using this information to bolster the phishing campaign's legitimacy.

"While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage," Zscaler warned.

Mass Mailing Campaign Distributes Efimer Trojan to Steal Cryptocurrency

In a related development, Brazil has been targeted by a malspam campaign impersonating lawyers from a major company to distribute a malicious script called Efimer, designed to steal cryptocurrency wallets. Russian cybersecurity firm Kaspersky detected this campaign in June 2025, with the malware's origins traced back to October 2024 and spread via compromised WordPress websites. Researchers Vladimir Gursky and Artem Ushkov explained that these emails falsely accuse recipients of domain infringement to lure victims. Efimer propagates through infected WordPress sites, email attachments, and malicious torrent files, communicating with its command-and-control (C2) server over the TOR network. The attack emails include ZIP archives containing password-protected files. When the victim opens the archive using the provided password, a malicious Windows Script File (WSF) executes, installing Efimer on the system. The victim sees a fake error message to distract from the infection process. Efimer installs two files: "controller.js" (the trojan component) and "controller.xml," then creates a scheduled task based on the XML configuration. The "controller.js" acts as clipper malware, replacing cryptocurrency wallet addresses copied to the clipboard with attacker-controlled addresses. It can also capture screenshots and execute additional payloads received from the C2 server. A second version of Efimer includes anti-virtual machine (VM) features and scans browsers like Google Chrome and Brave for cryptocurrency wallet extensions such as Atomic, Electrum, and Exodus, exfiltrating the data to the C2 server. Kaspersky estimates that over 5,000 users have been impacted, with infections concentrated in Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

"While its primary goal is to steal and swap cryptocurrency wallets, Efimer can also compromise WordPress sites and distribute spam, enabling it to build a malicious infrastructure and spread further," the researchers noted.

The campaign targets both individual users and corporate environments, using torrent files as bait for individuals and legal infringement claims to target companies.

Frequently Asked Questions (FAQ)

Phishing Scams and AI

Q: How are AI tools being used in phishing scams? A: Generative AI tools are being used to create highly convincing phishing pages that mimic legitimate websites, making it harder for users to distinguish them from real ones. These AI-powered tools can also help in optimizing SEO for these fraudulent sites to increase their visibility. Q: What are the typical signs of an AI-generated phishing website? A: Signs can include overly explanatory developer comments within the code, non-functional elements that are common in legitimate sites, and the use of specific styling frameworks like TailwindCSS, which are often employed by AI website builders. Q: What kind of information do these phishing scams aim to steal? A: These scams aim to steal sensitive personal information, including Brazilian CPF numbers (taxpayer IDs), residential addresses, and financial details, often by tricking victims into making payments.

Cryptocurrency Theft and Malware

Q: What is the Efimer Trojan, and how does it steal cryptocurrency? A: Efimer is a malicious script designed to steal cryptocurrency wallets. It operates as clipper malware, meaning it replaces legitimate cryptocurrency wallet addresses copied to the clipboard with the attacker's own addresses. Some versions also steal data from cryptocurrency wallet extensions in browsers. Q: How is the Efimer Trojan distributed? A: The Efimer Trojan is primarily distributed through malspam campaigns that impersonate legal entities, often using ZIP archives containing malicious Windows Script Files (WSF). It can also spread via compromised WordPress websites and malicious torrent files. Q: How many victims have been affected by the Efimer Trojan? A: Kaspersky estimates that over 5,000 users have been impacted by the Efimer Trojan.

Cybersecurity Best Practices

Q: How can I protect myself from phishing scams? A: Be cautious of unsolicited emails or messages, especially those asking for personal information or urging immediate payment. Always verify the sender's identity and scrutinize website URLs before entering any credentials or making transactions. Look for the signs of AI-generated phishing sites mentioned above. Q: What precautions should I take to secure my cryptocurrency? A: Use strong, unique passwords and enable two-factor authentication (2FA) for all your crypto accounts. Consider using hardware wallets for storing larger amounts of cryptocurrency offline. Be wary of suspicious links or attachments, especially those related to malware like Efimer.

Crypto Market AI's Take

The convergence of advanced AI in phishing tactics and specialized malware like the Efimer Trojan highlights a growing sophistication in cybercrime. As AI tools become more accessible, threat actors can craft more convincing social engineering attacks, making user vigilance paramount. For cryptocurrency users, this underscores the critical need for robust security practices, including strong authentication, cautious browsing habits, and secure wallet management. Our platform at Crypto Market AI is dedicated to providing users with cutting-edge AI-powered insights and tools to navigate the market safely and efficiently. We are committed to helping our users stay informed about emerging threats and best practices in digital asset security.

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Mass Mailing Campaign Distributes Efimer Trojan to Steal Cryptocurrency

Frequently Asked Questions (FAQ)

Phishing Scams and AI

Cryptocurrency Theft and Malware

Cybersecurity Best Practices

Crypto Market AI's Take

More to Read: