{"id":54066,"date":"2025-08-08T05:02:56","date_gmt":"2025-08-08T09:02:56","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=54066"},"modified":"2025-08-08T05:02:56","modified_gmt":"2025-08-08T09:02:56","slug":"efimer-trojan-steals-crypto","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/efimer-trojan-steals-crypto\/54066\/","title":{"rendered":"Efimer Trojan using hacked websites to steal cryptocurrency"},"content":{"rendered":"

If you\u2019re an active cryptocurrency user but you\u2019re still downloading torrent files and aren\u2019t sure how to safely store your seed phrases, we\u2019ve some bad news for you. We\u2019ve discovered a new Trojan, Efimer, that replaces crypto wallet addresses right in your clipboard. One click is all it takes for your money to end up in a hacker\u2019s wallet.<\/p>\n

Here\u2019s what you need to do to keep your crypto safe.<\/p>\n

How Efimer spreads<\/h2>\n

One of Efimer\u2019s main distribution channels is WordPress websites. It doesn\u2019t help that WordPress is a free content-management system for websites \u2014 or that it\u2019s the world\u2019s most popular<\/a>. Everyone from small-time bloggers and businesses to major media outlets and corporations uses it. Scammers exploit poorly secured sites and publish posts with infected torrent files.<\/p>\n

\"This<\/a>

This is what a hacked WordPress website infected with Efimer looks like<\/p><\/div>\n

When a user downloads a torrent file from an infected site, they get a small folder that contains what looks like a movie file with the .xmpeg extension. You can\u2019t open a file in that format without a \u201cspecial media player\u201d, which is conveniently included in the folder. In reality, the \u201cplayer\u201d is a Trojan installer.<\/p>\n

\"The<\/a>

The torrent folder with the malicious files inside<\/p><\/div>\n

Recently, Efimer has also started spreading through phishing emails. Website and domain owners receive emails, purportedly from lawyers, falsely claiming copyright infringement and demanding content removal. The emails say all the details are in the attachment\u2026\u00a0which is actually where the Trojan is lurking. Even if you don\u2019t own a website yourself, you can still receive spam email messages with Efimer attached. Threat actors collect user email addresses from WordPress sites they\u2019ve previously compromised. So, if you get an email like this, whatever you \u2014 don\u2019t open the attachment.<\/p>\n

How Efimer steals your crypto<\/h2>\n

Once Efimer infects a device, one of its scripts adds itself to the Windows Defender exclusion list \u2014 provided the user has administrator privileges. The malware then installs a Tor<\/a> client to communicate with its command-and-control server.<\/p>\n

Efimer accesses the clipboard and searches for a seed phrase, which is a unique sequence of words that allows access to a crypto wallet. The Trojan saves this phrase and sends it to the attackers\u2019 server. If it also finds a crypto wallet address in the clipboard, Efimer discreetly swaps it out for a fake one. To avoid raising suspicion, the fake address is often very similar to the original. The end result is that cryptocurrency is silently transferred to the cybercrooks.<\/p>\n

Wallets containing Bitcoin, Ethereum, Monero, Tron, or Solana are primarily at risk, but owners of other cryptocurrencies shouldn\u2019t let their guard down. The developers of Efimer regularly update the malware by adding new scripts and extending support for more crypto wallets. You can find out more about Efimer\u2019s capabilities in our analysis on Securelist<\/a>.<\/p>\n

Who\u2019s at risk?<\/h2>\n

The Trojan is attacking Windows users all over the world. Currently the malware is most active in Brazil, Russia, India, Spain, Germany, and Italy, but the scope of these attacks could easily expand to your country, if it\u2019s not already on the list. Users of crypto wallets, owners of WordPress sites, and those who frequently download movies, games, and torrent files from the internet should be especially vigilant.<\/p>\n

How to protect yourself from Efimer<\/h2>\n

The Efimer Trojan is a real jack-of-all-trades. It\u2019s capable of stealing cryptocurrencies, swapping crypto wallets, and it poses a serious threat to both individuals and organizations. It can use scripts to hack WordPress sites, and is able to spread on its own. However, in every case, a device can only be infected if the potential victim downloads and opens a malicious file themselves. This means that a little vigilance and a healthy dose of caution \u2014 ignoring files from suspicious sources at the very least \u2014 is your best defense against Efimer.<\/p>\n

Here are our recommendations for home users:<\/p>\n