Efimer Steals Cryptocurrency, Hacks WordPress, and Sends Spam

Red Dog Security

2 min read
Efimer Steals Cryptocurrency, Hacks WordPress, and Sends Spam

Researchers at Kaspersky have identified a wave of cyberattacks involving the Efimer Trojan. The malware spreads through compromised WordPress websites, torrents, and phishing emails. Its primary purpose is to steal and replace cryptocurrency wallet addresses. With the help of additional scripts, it can also brute-force passwords for WordPress sites and harvest email databases for large-scale spam campaigns.

Targeting Both Individuals and Businesses

A notable feature of the campaign is its dual focus on individual users and corporate targets. For individuals, attackers distribute Efimer through torrent files disguised as popular movies. For businesses, they send phishing emails posing as legal complaints over alleged unauthorized use of trademarked words or phrases.

The first versions of Efimer appeared in October 2024, initially spreading only through compromised WordPress websites—a method still in use. In mid-2025, attackers expanded their distribution channels to include email-based delivery.

WordPress Infections via Movie Lures

Attackers scan for poorly secured WordPress sites, crack admin passwords, and post enticing messages offering “free downloads” of newly released movies. The links lead to password-protected archives containing a torrent file, which in turn drops a malicious executable disguised as a media player (xmpeg_player.exe).

Phishing Campaigns Against Corporations

In June 2025, Kaspersky observed Efimer spreading to corporate email addresses, targeting both small and large businesses.

The phishing emails claim to come from corporate lawyers who have “reviewed” the recipient’s domain name and found it to contain trademarked terms. The emails suggest that legal action is imminent but may be avoided if the domain name is changed—and even offer to purchase it.

The “details” are supposedly in an attached, password-protected archive. In reality, the archive contains the Efimer malware. Once executed, it infects the system and displays only a fake error message to the user.

ClipBanker Activity and Command-and-Control

After infection, Efimer deploys controller.js, a ClipBanker-type Trojan that:

  • Monitors the clipboard and replaces cryptocurrency wallet addresses with attacker-controlled ones.
  • Scans for seed phrases.
  • Executes arbitrary code from its command-and-control (C2) server.

To communicate with its C2 server, Efimer installs a Tor proxy client on the victim’s system. Multiple hardcoded download links for Tor are embedded to ensure installation even if some sources are blocked.

Additional Malicious Scripts

On some infected machines, researchers found extra scripts loaded via the C2 server using the eval command:

  • btdlg.js (MD5: 0f5404aa252f28c61b08390d52b7a054) – brute-forces WordPress passwords using word lists pulled from Wikipedia.
  • assembly.js (MD5: 100620a913f0e0a538b115dbace78589) – another ClipBanker variant, similar to controller.js but with functional differences.
  • Liame – an email-harvesting tool that collects addresses from specified websites and sends them to the attackers; target site lists are supplied by the C2 server.

Global Impact

From October 2024 to July 2025, Kaspersky recorded 5,015 users encountering Efimer-related attacks. The malware has been most active in Brazil (1,476 victims), followed by India, Spain, Russia, Italy, and Germany.

Mitigation Recommendations

Kaspersky advises users to:

  • Avoid downloading torrents from unknown or suspicious sources.
  • Verify the legitimacy of email senders before opening attachments.
  • Keep antivirus databases up to date.

Read more