Efimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing

Kaspersky reports Efimer Trojan infecting thousands, swapping crypto wallets, brute-forcing sites, and spreading through torrents and phishing.

Cybercriminals are getting more creative with their scams, and the latest example comes from a malware operation known as Efimer. First spotted by Kaspersky in October 2024 and still active and spreading in 2025, the Trojan has been stealing cryptocurrency, spreading through hacked WordPress sites, torrents and targeted phishing emails.

The phishing emails in the most recent campaign pretend to come from lawyers at a large company, warning recipients that their domain name violates trademarks. The message threatens legal action but offers to buy the domain instead.

Victims are then prompted to open an attachment for “details,” which actually contains a multi-stage script. This script drops the Efimer trojan and disguises its activity with fake error messages, so users think nothing happened.

Once running, Efimer behaves like a ClipBanker Trojan. It monitors the clipboard for cryptocurrency wallet addresses and replaces them with the attacker’s own. It also targets mnemonic phrases used to recover wallets, saving them to files before exfiltrating them to a command server hidden on the Tor network.

If Task Manager is running, the malware shuts down to avoid detection. It even installs Tor itself if it’s not already on the machine, downloading it from multiple hardcoded URLs to make blocking more difficult.

Kaspersky’s analysis shows Efimer has extra scripts that can brute-force WordPress logins by automatically generating target domains from Wikipedia word lists, then testing large batches of passwords against them.

When credentials are cracked, attackers can post malicious files or lure users with fake movie torrents. One such lure involves a password-protected torrent that appears to contain a film in XMPEG format but actually installs another Efimer variant, complete with spoofed wallets for Tron and Solana.

Another script, nicknamed “Liame,” focuses on gathering email addresses from specified websites. It can scrape addresses from HTML and mailto links, then send them back to the attackers.

The same infrastructure can also push spam-like payloads to targeted domains. This versatility means Efimer can serve both as a direct theft tool and as part of a larger spam or phishing system.

From October 2024 to July 2025, Kaspersky products detected over 5,000 users hit by Efimer, with the highest activity in Brazil, followed by India, Spain, Russia, Italy and Germany. The attackers clearly target both individuals, through torrents and phishing, and businesses, by compromising corporate websites.

To protect your system from Efimer trojan, don’t open suspicious attachments, don’t download torrents from random sites and keep your antivirus software updated. For website owners, strong passwords, two-factor authentication, and regular software updates are critical to keep attackers from installing malware on their servers.