Uncovered in Russia: Money-swiping Virus Efimer detected by Kaspersky Lab
A new and dangerous malware known as Efimer has been detected, capable of stealing financial funds, replacing cryptocurrency wallets, and collecting passwords for websites. This Trojan, first identified in October 2024, continues to pose a threat to both individual and corporate users worldwide, with a recent surge in distribution through corporate email addresses discovered in June 2025.
How Efimer Spreads
Efimer initially spreads via compromised WordPress sites, phishing emails, and torrent downloads. The infection typically starts with a phishing email claiming domain or trademark infringement, containing a ZIP attachment. Inside is a password-protected archive with a malicious Windows Script File (WSF) that, when executed, installs Efimer on the victim’s machine.
To spread through WordPress sites, Efimer cybercriminals look for resources with low protection, guess passwords, and publish messages offering to download recently released movies. These messages contain links to password-protected archives containing torrent files, which hide the malicious software as a regular media player.
Core Functionality of Efimer
When launched, the Efimer Trojan infects the computer, with the user only seeing an error notification. However, behind the scenes, the malware begins its nefarious activities. Efimer functions as a dropper, banking Trojan, and spyware.
The primary purpose of Efimer is to steal and replace cryptocurrency wallets, but it can also be used to brute-force WordPress site passwords and collect email databases for further spam distribution. Upon installation, the Trojan infects the computer, captures screenshots, and connects to its command and control (C2) server over the Tor network, downloading additional payloads. A second variant includes anti-virtual machine (anti-VM) techniques for stealth and can scan browsers like Chrome and Brave for installed cryptocurrency wallet extensions (e.g., Atomic, Electrum, Exodus), sending this information back to attackers for further exploitation.
Notably, Efimer includes a clipper malware named "controller.js" that replaces copied cryptocurrency wallet addresses in the clipboard with attacker-controlled addresses, leading to theft of transferred funds.
Impact and Protection Measures
Brazil has been the most impacted country by Efimer, but users worldwide are urged to take precautions. To reduce exposure and impact from Efimer and similar trojans, users can follow several protection measures:
- Email security: Be cautious of unexpected emails claiming legal issues with attachments, especially ZIP archives with password-protected files.
- Filtering and scanning: Use email filters and advanced anti-malware solutions that detect Trojan droppers like Efimer (detected by Kaspersky as HEUR:Trojan-Dropper.Script.Efimer and related variants).
- Keep software updated: Regularly update WordPress sites, browsers, and wallet software to reduce exploitation risk.
- Use endpoint protection: Deploy robust antivirus/endpoint security with heuristics and behavior-based detection to block trojans and clipper malware.
- Avoid downloading from untrusted torrents or compromised websites.
- Verify wallet addresses manually before transfers instead of relying solely on clipboard pasting.
- Restrict execution of Windows Script Files (WSF) or use application whitelisting to prevent unknown scripts from running.
- Use anti-phishing training to raise awareness about phishing tactics involving domain infringement claims.
By following these steps, users can significantly reduce their risk of falling victim to the Efimer Trojan and similar cyber threats. Stay vigilant and protect your digital assets.
- In light of the Efimer malware's capability to steal financial funds and cryptocurrency, it is crucial for the cybersecurity industry to collaborate with the finance sector to develop robust security measures to protect against such threats.
- The integration of advanced technologies, such as artificial intelligence and machine learning, into cybersecurity solutions can help identify and mitigate the spread of malware like Efimer, enhancing overall digital security in both the science and finance industries.
