AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Cybersecurity researchers are drawing attention to a new campaign that's using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign.

The activity involves the creation of lookalike sites imitating Brazil's State Department of Traffic and Ministry of Education, which then trick unsuspecting users into making unwarranted payments through the country's PIX payment system, Zscaler ThreatLabz said.

These fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility, thereby increasing the likelihood of success of the attack.

"Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and trends like TailwindCSS styling, which is different from the traditional phishing kits used by threat actors," Zscaler's Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas said.

The end goal of the attacks is to serve bogus forms that collect sensitive personal information, including Cadastro de Pessoas Físicas (CPF) numbers, Brazilian taxpayer identification numbers, residential addresses, and convince them to make a one-time payment of 87.40 reals ($16) to the threat actors via PIX under the guise of completing a psychometric and medical exam or secure a job offer.

To further increase the legitimacy of the campaign, the phishing pages are designed such that they employ staged data collection by progressively requesting additional information from the victim, mirroring the behavior of the authentic websites. The collected CPF numbers are also validated on the backend by means of an API created by the threat actor.

"The API domain identified during analysis is registered by the threat actor," Zscaler said. "The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF."

That said, the company noted that it's possible the attackers may have acquired CPF numbers and user details through data breaches or by leveraging publicly exposed APIs with an authentication key, and then used the information to increase the credibility of their phishing attempts.

"While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage," Zscaler noted.

Mass mailing Campaign Distributes Efimer Trojan to Steal Crypto

Brazil has also become the focus of a malspam campaign that impersonates lawyers from a major company to deliver a malicious script called Efimer and steal a victim's cryptocurrency. Russian cybersecurity company Kaspersky said it detected the mass mailing campaign in June 2025, with early iteration of the malware dating all the way back to October 2024 and spread via infected WordPress websites.

"These emails falsely claimed the recipient's domain name infringed on the sender's rights," researchers Vladimir Gursky and Artem Ushkov said. "This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques."

Efimer, besides propagating via compromised WordPress sites and email, leverages malicious torrents as distribution vector, while communicating with its command-and-control (C2) server via the TOR network. Furthermore, the malware can extend its capabilities with additional scripts that can brute-force passwords for WordPress sites and harvest email addresses from specified websites for future email campaigns.

"The script receives domains [from the C2 server] and iterates through each one to find hyperlinks and email addresses on the website pages," Kaspersky said, noting it also serves as a spam module engineered to fill out contact forms on target websites.

In the attack chain documented by Kaspersky, the emails come fitted with ZIP archives containing another password-protected archive and an empty file with a name specifying the password to open it. Present within the second ZIP file is a malicious Windows Script File (WSF) that, when launched, infects the machine with Efimer.

At the same time, the victim is displayed an error message stating the document cannot be opened on the device as a distraction mechanism. In reality, the WSF script saves two other files, "controller.js" (the trojan component) and "controller.xml," and creates a scheduled task on the host using configuration extracted from "controller.xml."

The "controller.js" is a clipper malware that's designed to replace cryptocurrency wallet addresses the user copies to their clipboard with the wallet address under the attacker's control. It can also capture screenshots and execute additional payloads received from the C2 server by connecting over the TOR network after installing a TOR proxy client on the infected computer.

Kaspersky said it also discovered a second version of Efimer that, along with clipper features, also incorporates anti-VM features and scans web browsers like Google Chrome and Brave for cryptocurrency wallet extensions related to Atomic, Electrum, and Exodus, among others, and exfiltrates the results of the search back to the C2 server.

The campaign is estimated to have impacted 5,015 users, based on its telemetry, with a majority of the infections concentrated in Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

"While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam," the researchers said. "This allows it to establish a complete malicious infrastructure and spread to new devices."

"Another interesting characteristic of this Trojan is its attempt to propagate among both individual users and corporate environments. In the first case, attackers use torrent files as bait, allegedly to download popular movies; in the other, they send claims about the alleged unauthorized use of words or phrases registered by another company."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.