Efimer Trojan: New Crypto-Stealer Hijacks Wallets via Fake Legal Threats & Malicious Torrents
Ddos 
Kaspersky Labs has uncovered a sophisticated, multi-pronged malware operation leveraging fake legal threats, compromised WordPress sites, and malicious torrents to deliver a cryptocurrency-stealing Trojan known as Efimer. First observed in late 2024, Efimer has evolved into a modular threat capable of stealing funds, harvesting credentials, and even launching brute-force attacks against vulnerable websites.
In June 2025, Kaspersky researchers detected “a mass mailing campaign impersonating lawyers from a major company”, claiming recipients’ domain names infringed on trademarks. The emails threatened legal action, yet dangled an “out” — change the domain or sell it. The trick? The attached ZIP archive supposedly contained details of the dispute, but instead housed Efimer, disguised as a Requirement.wsf file.
To evade detection, attackers even altered the password file name using a Unicode lookalike character, making it harder for automated tools to read. Once executed, the script checked for admin privileges, modified Windows Defender exclusions, and installed its main payload — a cryptocurrency-focused ClipBanker Trojan.
Efimer specializes in replacing copied cryptocurrency wallet addresses with attacker-controlled ones, a classic clipboard hijack technique. The Trojan also “sniffs out mnemonic phrases and swaps copied cryptocurrency wallet addresses with the attacker’s own”.
If Task Manager is open, the malware halts execution to avoid scrutiny. Otherwise, it installs a Tor proxy client to communicate with its command-and-control (C2) server, sending stolen seed phrases, screenshots, and wallet data every 30 minutes to remain stealthy.
The malware is tailored to different cryptocurrencies:
- Bitcoin: Matches parts of the original address to avoid user suspicion.
- Ethereum: Replaces 0x-prefixed addresses with attacker-controlled ones.
- Monero, Tron, Solana: Uses predefined addresses with minimal matching to bypass quick visual checks.
Efimer also spreads via compromised WordPress sites, where attackers post fake movie download links. These lead to password-protected archives containing malicious EXE files disguised as media players, which install the same Trojan and Tor proxy client.
Kaspersky noted that “attackers search for poorly secured websites, brute-force their passwords, and then post messages offering to download recently released movies”. This approach doubles as both a distribution vector and a foothold for launching further brute-force campaigns.
Efimer’s modularity allows it to expand via additional scripts:
- btdlg.js: A brute-forcing tool that “searches Google and Bing for domains to target” and uses XML-RPC to attempt logins.
- Liame: An email harvesting tool that collects and exfiltrates addresses from specified domains, potentially for future spam or phishing campaigns.
Another variant, assembly.js, adds VM detection and extensive cryptocurrency wallet searches, targeting browser extensions and wallet apps before sending the results to a separate C2 infrastructure.
Between October 2024 and July 2025, Efimer infected 5,015 Kaspersky users, with Brazil topping the list at 1,476 victims, followed by India, Spain, Russia, Italy, and Germany.
Kaspersky warns that Efimer’s blend of stealth, adaptability, and multi-vector delivery makes it a significant threat to both individuals and website administrators, especially in the cryptocurrency ecosystem.
Related Posts:
- Apache Tomcat Under Attack: Massive Brute-Force Campaign Targets Manager Interfaces
- ViperSoftX Malware: Arabic-Speaking Attackers Exploit PowerShell in New Cyberattack Campaign
- Google Account Flaw Exposed Phone Numbers: Brute-Force Attack Possible, Now Patched
- Sneaky Android Adware Masquerades as Popular Games to Bombard You With Ads
- Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
