August 8, 2025
5 min read
The Hacker News
AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims
Cybersecurity researchers have uncovered a new wave of cybercrime leveraging generative AI-powered website builders like DeepSite AI and BlackBox AI to create convincing phishing pages that impersonate Brazilian government agencies. These lookalike sites, mimicking Brazil's State Department of Traffic and Ministry of Education, trick users into making unauthorized payments via the PIX payment system, according to Zscaler ThreatLabz.
The attackers use search engine optimization (SEO) poisoning to artificially boost the visibility of these fraudulent sites, increasing their chances of deceiving victims. Analysis of the phishing pages' source code reveals telltale signs of generative AI tools, including overly explanatory comments, non-functional elements typical of genuine websites, and TailwindCSS styling, which differs from traditional phishing kits.
The scam's objective is to collect sensitive personal information such as Cadastro de Pessoas FĂsicas (CPF) numbers, Brazilian taxpayer IDs, and residential addresses. Victims are then duped into making a one-time payment of 87.40 reals (approximately $16) via PIX, under false pretenses like completing psychometric and medical exams or securing job offers.
To enhance credibility, the phishing pages progressively request additional data from victims, mimicking the behavior of legitimate websites. The attackers validate CPF numbers through a backend API that automatically populates the phishing forms with information linked to the CPF, making the scam appear more authentic. It remains unclear whether the attackers obtained CPF data from breaches or publicly exposed APIs.
"While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage," Zscaler researchers warned.
In a related development, Brazil has been targeted by a malspam campaign distributing the Efimer Trojan, a malicious script designed to steal cryptocurrency wallets. Detected by Russian cybersecurity firm Kaspersky in June 2025, Efimer has been active since October 2024 and spreads via infected WordPress sites, email, and malicious torrents.
The campaign impersonates lawyers from a major company, sending emails falsely accusing recipients of domain infringement. These emails contain ZIP archives with password-protected Windows Script Files (WSF) that, when executed, infect the victim's machine with Efimer.
Efimer installs a scheduled task to run its components, including "controller.js," a clipper malware that replaces copied cryptocurrency wallet addresses with attacker-controlled addresses. It also captures screenshots and connects to its command-and-control (C2) server over the TOR network via an installed TOR proxy client.
A second version of Efimer includes anti-virtual machine (VM) features and scans browsers like Google Chrome and Brave for cryptocurrency wallet extensions such as Atomic, Electrum, and Exodus, exfiltrating this data back to the attackers.
Kaspersky estimates the campaign has impacted over 5,000 users, primarily in Brazil but also in India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.
"Besides stealing and swapping cryptocurrency wallets, Efimer uses additional scripts to compromise WordPress sites and distribute spam, enabling it to build a malicious infrastructure and spread further," researchers explained.
The Trojan targets both individual users and corporate environments, using torrent files as bait for individuals and legal threat emails for organizations.
Found this article insightful? Follow The Hacker News on Google News, Twitter, and LinkedIn for more exclusive cybersecurity news.
Source: Originally published at The Hacker News on August 8, 2025.
Found this article insightful? Follow The Hacker News on Google News, Twitter, and LinkedIn for more exclusive cybersecurity news.
Source: Originally published at The Hacker News on August 8, 2025.
FAQ
Phishing Scams and AI
Q: How are AI tools being used in phishing scams? A: Generative AI tools like DeepSite AI and BlackBox AI are being used to create highly convincing phishing websites that mimic legitimate government agencies and other trusted entities. These AI-generated sites are designed to trick users into divulging sensitive personal information or making unauthorized payments. Q: What makes these AI-generated phishing sites so effective? A: The effectiveness stems from their ability to replicate the look and feel of legitimate websites with high fidelity. They often incorporate elements like correct styling (e.g., TailwindCSS) and even use SEO poisoning to rank higher in search results, making them more discoverable and deceptive to unsuspecting users. The use of backend APIs to validate information, like CPF numbers, further enhances their authenticity. Q: What kind of information are these phishing scams trying to steal? A: These scams typically aim to steal sensitive personal data, including Cadastro de Pessoas FĂsicas (CPF) numbers (Brazilian taxpayer IDs), residential addresses, and other personally identifiable information. Q: What payment systems are being exploited by these scams? A: The scams are leveraging the PIX payment system in Brazil, tricking victims into making small, unauthorized payments under various false pretenses.Efimer Trojan and Cryptocurrency Theft
Q: What is the Efimer Trojan? A: The Efimer Trojan is a malicious script designed to steal cryptocurrency wallets and data. It spreads through various channels, including compromised websites, email campaigns, and malicious torrents. Q: How does the Efimer Trojan steal cryptocurrency? A: Efimer employs several methods:* Wallet Address Clipping: It replaces copied cryptocurrency wallet addresses with those controlled by the attackers, diverting funds when users attempt to send cryptocurrency.* Screenshot Capturing: It captures screenshots of the victim's screen, potentially revealing sensitive information.* Browser Extension Scanning: In its second version, it scans popular browsers for cryptocurrency wallet extensions (like Atomic, Electrum, Exodus) and exfiltrates this data.