293/68 Friday, August 15, 2025
Kaspersky has issued a warning about the widespread infection of the Efimer Trojan malware, first discovered in October 2024 and still active well into 2025, with over 5,000 victims reported globally. This malware exhibits multiple malicious capabilities, including replacing cryptocurrency wallet addresses to redirect funds to attacker-controlled accounts, brute-forcing WordPress admin passwords, and spreading through compromised websites, fake torrent files, and phishing emails disguised as trademark infringement notices from lawyers. These emails contain attachments with hidden Trojan installers and fake error messages designed to deceive users.
Once installed, Efimer acts as a ClipBanker, continuously monitoring clipboard activity. If the user copies a cryptocurrency wallet address, Efimer silently replaces it with the attacker’s wallet address. It also captures wallet recovery phrases (seed phrases), stores them locally, and transmits the data to hidden servers on the Tor network to obscure its origins. To evade detection, the malware can automatically shut down if Task Manager is launched and will install Tor software from multiple sources to make blocking more difficult. Efimer also includes a script that attempts to brute-force WordPress credentials using dictionaries based on Wikipedia content. Once access is gained, it can upload malicious files or distribute additional fake torrent files containing new Efimer variants.
The report indicates that the primary targets are located in Brazil, India, Spain, Russia, Italy, and Germany, though the malware poses a threat to both individuals and businesses globally. Experts advise users to avoid opening email attachments from unknown senders, refrain from downloading torrents from untrusted sources, and regularly update antivirus software. Website owners should also adopt strong passwords, enable two-factor authentication (2FA), and keep software up to date to reduce the risk of server compromise.
Source https://hackread.com/efimer-trojan-crypto-hacks-wordpress-torrents-phishing/
