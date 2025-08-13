Phishing emails linked to Efimer trojan

Between October 2024 and July 2025, more than 5 000 users – both individuals and organisations – fell victim to the Efimer trojan, according to Kaspersky Network Security.

The malware was particularly impactful in Brazil, affecting around 1 500 victims. These attacks also targeted users in India, Spain, Russia, Italy, and Germany.

Kaspersky has discovered a rapidly escalating malicious campaign targeting corporate users with Efimer – a trojan designed to steal and replace cryptocurrency wallet addresses. Initial versions of Efimer appeared in October 2024 and were distributed through compromised WordPress websites. However, in June 2025, the malware began spreading via phishing emails too.

Disguised as a legal firm, the attackers send emails threatening recipients with lawsuits over alleged domain name patent violations to trick them into downloading the malware. This approach allows Efimer to build its own malicious infrastructure and continue spreading to new devices.

“This Trojan is notable for its dual approach to spreading – targeting both individual users and corporate environments with different tactics,” says Artyom Ushkov, threat researcher at Kaspersky. “For private users, attackers use torrent files pretending to be popular movies to lure victims while in corporate settings, they rely on fraudulent emails containing legal threats. Crucially, in both cases, compromise only occurs if the user actively downloads and executes the malicious file.”

Kaspersky recommends corporate and individual users: