Kaspersky has identified a malware campaign involving the Efimer Trojan, a threat first detected in October 2024 and still active into 2025. This Trojan is designed to steal cryptocurrency, compromise WordPress sites, and spread through torrents and targeted phishing emails.

In recent attacks, cybercriminals have sent phishing messages posing as legal notices from corporate lawyers, claiming a recipient’s domain name violates trademarks. The emails threaten legal action but offer to purchase the domain instead. Victims who open the attached “details” file unknowingly execute a multi-stage script that installs Efimer while displaying fake error messages to mask the infection.

Once deployed, Efimer acts like a ClipBanker Trojan, monitoring the clipboard for cryptocurrency wallet addresses and replacing them with the attacker’s own. It can also harvest mnemonic recovery phrases, store them locally, and send them to a Tor-based command server. To avoid detection, the malware shuts down if Task Manager is running and will install Tor itself if needed, using multiple sources to evade blocking. Beyond crypto theft, Efimer includes scripts capable of brute-forcing WordPress logins by generating target domains from Wikipedia word lists and testing large batches of passwords. Compromised sites are then used to post malicious files or distribute infected torrents disguised as movie downloads, some containing spoofed wallets for Tron and Solana.

From October 2024 to July 2025, over 5,000 users were infected, with the highest activity reported in Brazil, followed by India, Spain, Russia, Italy, and Germany. The Trojan’s versatility enables it to target both individuals, through phishing and torrents, and businesses, by infiltrating corporate websites. It can also scrape email addresses for spam campaigns using an embedded “Liame” script. To reduce the risk of infection, Kaspersky advises avoiding suspicious attachments, steering clear of untrusted torrents, and keeping antivirus software updated. For website administrators, strong passwords, two-factor authentication, and regular patching remain essential defenses against this type of intrusion.