Efimer Trojan: From Fake Lawsuits to Crypto Heists

Efimer Trojan Attack Report: From Fake Lawsuits to Cryptocurrency Heists

Overview of the Efimer Trojan Malware

The Efimer Trojan is a stealthy, cryptocurrency-stealing malware uncovered in October 2024 and actively deployed across Brazil, India, Spain, Russia, Italy, Germany, UK, Canada, France, and Portugal. Targeting the cryptocurrency industry, this advanced Trojan attack uses phishing emails, compromised WordPress sites, and fake torrent downloads to deliver payloads. Disguised as urgent legal notices from major law firms, Efimer lures victims into downloading malicious attachments, ultimately stealing cryptocurrency wallet addresses, recovery phrases, and clipboard data.

Attack Vectors and Initial Access Methods

Phishing Emails Masquerading as Legal Notices

The campaign relies heavily on phishing emails that impersonate law firms. Victims are accused of domain trademark infringement and tricked into opening a password-protected ZIP archive. Inside, a Windows Script File executes the Efimer Trojan, bypasses Windows Defender, creates persistence in the Windows registry, and shows a fake error message to mask the infection.

WordPress Exploitation and Brute-Force Attacks

Attackers also compromise WordPress sites by brute-forcing admin credentials and planting malicious payloads. These sites not only distribute Efimer but also harvest email addresses for future spam campaigns. The operation leverages scripts that run in constant loops, performing credential stuffing, hosting malware, and executing attacker-supplied JavaScript code.

Fake Torrent Downloads and Pirated Media

Another distribution method involves fake torrents disguised as pirated movies or bundled with fake media players. Victims are enticed to download XMPEG files containing Efimer installers preloaded with spoofed cryptocurrency wallet addresses to redirect transactions across multiple digital currencies.

Malware Capabilities and Stealth Techniques

ClipBanker Functionality for Cryptocurrency Theft

Efimer operates as a ClipBanker Trojan, monitoring clipboard activity for cryptocurrency wallet addresses or mnemonic recovery phrases. When detected, the malware instantly replaces them with attacker-controlled addresses, redirecting funds to cybercriminals. It also hunts for “SEED” files, captures screenshots, and exfiltrates sensitive data.

Use of Tor for Covert Communications

To avoid detection, Efimer installs a Tor proxy client, ensuring encrypted command-and-control (C2) communication. Multiple hardcoded sources guarantee resilience, and attackers can remotely issue commands including data exfiltration and self-deletion (KILL command) to wipe traces of infection.

Indicators of Compromise (IOCs)

Known Hashes and Malicious URLs

Efimer infections are associated with specific MD5 and SHA256 hashes of malicious files, as well as malicious URLs such as:

• hxxps[:]//lovetahq[.]com/sinners-2025-torent-file/

• hxxps[:]//lovetahq[.]com/wp-content/uploads/2025/04/movie_39055_xmpg[.]zip

• hxxp[:]//cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisa d[.]onion

These indicators highlight the widespread and multi-channel distribution strategy of Efimer.

MITRE ATT&CK Mapping

Tactics and Techniques Used by Efimer

The Efimer Trojan maps to a wide range of MITRE ATT&CK tactics and techniques, including:

• Initial Access (TA0001): Phishing (T1566), Spearphishing Attachments (T1566.001), Drive-by Compromise (T1189)

• Execution (TA0002): Malicious File Execution (T1204.002), Command and Scripting Interpreter (T1059)

• Persistence (TA0003): Registry Run Keys (T1547.001)

• Credential Access & Discovery: Clipboard Data (T1115), System Discovery (T1082)

• Exfiltration & C2: Exfiltration Over C2 Channel (T1041), Tor Proxy (T1090.003)

• Impact: Data Manipulation (T1565), Cryptocurrency Wallet Theft

Defensive Recommendations

How to Protect Against Efimer Trojan Attacks

• Scrutinize Emails: Treat unexpected legal notices or attachments as suspicious.

• Avoid Shady Downloads: Stay away from torrents, pirated movies, and fake “free” downloads.

• Secure WordPress Sites: Regularly update themes, plugins, and core software. Enable two-factor authentication.

• Upgrade Endpoint Protection: Deploy NGAV and EDR solutions with behavioral detection to block malicious activities.

• Monitor for IOCs: Actively track the listed malicious hashes, URLs, and Tor connections.

Conclusion

Efimer Trojan: A Global Threat to Cryptocurrency Security

The Efimer Trojan demonstrates the growing sophistication of cybercrime targeting cryptocurrency users, website owners, and digital asset investors. By blending phishing, malware distribution, brute-force attacks, and clipboard hijacking, attackers have created a multi-pronged cybercrime infrastructure. The best defense lies in vigilant email practices, secure web applications, and strong endpoint defenses