· Cybersecurity News  · 5 min read

Brazil Hit by AI Phishing and Efimer Crypto Trojan

Cybersecurity researchers are sounding the alarm on a dual-pronged threat targeting Brazil. In one campaign, threat actors are leveraging legitimate generative AI tools to create highly convincing phishing pages of Brazilian government agencies to trick users into making payments. These fraudulent sites are boosted with SEO poisoning to appear in top search results. Simultaneously, a separate malspam campaign is distributing the Efimer trojan, a potent malware designed to steal cryptocurrency, which has already impacted over 5,000 users.

Cybersecurity researchers are sounding the alarm on a dual-pronged threat targeting Brazil. In one campaign, threat actors are leveraging legitimate generative AI tools like DeepSite AI to create highly convincing phishing pages of Brazilian government agencies. The goal is to trick unsuspecting users into making payments through the PIX system. These fraudulent sites are boosted with SEO poisoning to appear in top search results. Zscaler ThreatLabz reports that source code analysis reveals clear signs of AI, including overly explanatory comments and modern styling frameworks. Simultaneously, a separate malspam campaign is distributing the Efimer trojan, a potent malware designed to steal cryptocurrency, which has already impacted over 5,000 users. This article delves into both of these financially motivated attacks.

AI-Powered Phishing Mimics Brazilian Government

A new, financially motivated campaign is using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages that mimic Brazilian government agencies.

According to Zscaler ThreatLabz, the activity involves creating lookalike sites that imitate Brazil’s State Department of Traffic and Ministry of Education. These sites are designed to trick unsuspecting users into making unwarranted payments through the country’s PIX payment system. To maximize their reach, the fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility.

In a report, Zscaler’s Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas explained:

“Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and trends like TailwindCSS styling, which is different from the traditional phishing kits used by threat actors.”

The ultimate goal is to serve bogus forms that collect sensitive personal information, including Cadastro de Pessoas Físicas (CPF) numbers, residential addresses, and convince victims to make a one-time payment of 87.40 reals ($16) via PIX. The payment is disguised as a fee for completing a psychometric and medical exam or to secure a job offer.

To further increase the legitimacy of the campaign, the phishing pages employ staged data collection by progressively requesting more information from the victim, mirroring the behavior of the authentic websites. The collected CPF numbers are even validated on the backend by an API created by the threat actor.

“The API domain identified during analysis is registered by the threat actor,” Zscaler said. “The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.”

Zscaler also noted that it’s possible the attackers acquired CPF numbers and user details through previous data breaches or by leveraging publicly exposed APIs. This information is then used to increase the credibility of their phishing attempts.

“While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage,” Zscaler concluded.

Efimer Trojan Steals Crypto in Mass Mailing Campaign

Brazil has also become the focus of a malspam campaign that impersonates lawyers from a major company to deliver a malicious script called Efimer, designed to steal a victim’s cryptocurrency. According to the Russian cybersecurity company Kaspersky, the mass mailing campaign was detected in June 2025, with early iterations of the malware dating back to October 2024 and spreading via infected WordPress websites.

“These emails falsely claimed the recipient’s domain name infringed on the sender’s rights,” researchers Vladimir Gursky and Artem Ushkov noted in their findings. “This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques.”

Besides propagating via compromised WordPress sites and email, Efimer leverages malicious torrents as a distribution vector while communicating with its command-and-control (C2) server via the TOR network. Furthermore, the malware can extend its capabilities with additional scripts that can brute-force passwords for WordPress sites and harvest email addresses from specified websites for future email campaigns.

“The script receives domains [from the C2 server] and iterates through each one to find hyperlinks and email addresses on the website pages,” Kaspersky said, noting it also serves as a spam module engineered to fill out contact forms on target websites.

In the attack chain documented by Kaspersky, the emails come with ZIP archives containing another password-protected archive and an empty file with a name specifying the password. Within the second ZIP file is a malicious Windows Script File (WSF) that infects the machine with Efimer when launched.

Simultaneously, the victim is shown a distracting error message stating the document cannot be opened. In reality, the WSF script saves two other files, “controller.js” (the trojan) and “controller.xml,” and creates a scheduled task on the host using the configuration from “controller.xml.”

The “controller.js” is a clipper malware designed to replace cryptocurrency wallet addresses the user copies to their clipboard with an address under the attacker’s control. It can also capture screenshots and execute additional payloads received from the C2 server by connecting over the TOR network after installing a TOR proxy client on the infected computer.

Kaspersky said it also discovered a second version of Efimer that, along with clipper features, incorporates anti-VM features and scans web browsers like Google Chrome and Brave for cryptocurrency wallet extensions related to Atomic, Electrum, and Exodus, among others.

Based on telemetry, the campaign is estimated to have impacted 5,015 users, with a majority of the infections concentrated in Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

“While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam,” the researchers said. “This allows it to establish a complete malicious infrastructure and spread to new devices.”

Newsletter Signup

News Feed

Get the Hottest Cybersecurity News Delivered to You!

Related News

Discover more news articles that might interest you

View All →