Rising Threats: Fraudulent Phishing Campaigns and Crypto-Hijacking Trojans in Brazil
Introduction to the New Phishing Threat
Recent investigations by cybersecurity experts have unveiled a sophisticated phishing campaign exploiting generative artificial intelligence (AI) tools. These tools, including DeepSite AI and BlackBox AI, are being used to create fraudulent websites that impersonate Brazilian government agencies. This alarming trend aims to deceive individuals into unauthorized payments through Brazil’s PIX payment system, highlighting the evolving tactics employed by cybercriminals.
Mimicking Government Websites
The malicious campaign is centered around replicas of official websites from Brazil’s State Department of Traffic and the Ministry of Education. By closely resembling legitimate sites, these counterfeit pages lure unsuspecting victims into making payments—typically around 87.40 reals (approximately $16)—under false pretenses, such as completing psychometric exams or securing job offers.
Zscaler ThreatLabz, an authority in cyber threat intelligence, reveals that the phishing sites are not only convincing but are also artificially enhanced in visibility via search engine optimization (SEO) poisoning. This tactic significantly boosts their chances of deceiving potential victims.
Detecting Advanced Techniques
A detailed analysis of the phishing sites indicates the use of sophisticated AI-generated code. Researchers from Zscaler noted the presence of over-explanatory comments, non-functional website elements that would usually work properly on genuine sites, and design trends such as TailwindCSS, which starkly contrast traditional phishing kits. These techniques reflect a high degree of effort to legitimize the fraudulent operation.
Collecting Sensitive Information
The core objective of these attacks involves collecting sensitive personal data, including Cadastro de Pessoas Físicas (CPF) numbers—Brasilian taxpayer identification digits—and residential addresses. To further reinforce the illegitimacy of the scam, the phishing sites are designed to progressively request more information, creating a sense of urgency and legitimacy.
Interestingly, the attackers have implemented a backend API capable of validating CPF numbers. This API, registered by the fraudsters themselves, retrieves data linked to these identification numbers and auto-fills the phishing page, adding another layer of deception.
Possible Data Sources for the Attackers
Experts from Zscaler speculate that the attackers may have historically acquired CPF numbers and other user details through data breaches or by exploiting publicly accessible APIs. This potential access enables them to enhance the credibility of their scams and effectively target victims.
While the immediate financial impact of these phishing campaigns appears limited, Zscaler warns that the methods employed could facilitate much larger and more damaging operations in the future.
The Emergence of the Efimer Trojan
Simultaneously, a different threat is emerging within Brazil—a malspam campaign utilizing a malicious script named Efimer. This campaign masquerades as communication from lawyers representing a significant company, aimed at delivering the Efimer Trojan to unsuspecting users. Kaspersky, a prominent Russian cybersecurity firm, identified this alarming trend in June 2025, noting that the malware traces back to early iterations in October 2024.
Multi-Faceted Infection Methods
The Efimer Trojan spreads primarily via infected WordPress websites and deceptive emails. In these communications, recipients are misled into believing that their domain name infringes upon the sender’s rights. Researchers have observed that the malware includes functionality to compromise WordPress sites further, allowing attackers to host malicious files and extend its reach.
In addition to email and WordPress spread, Efimer employs malicious torrents as another distribution vector. The malware communicates with command-and-control (C2) servers through the TOR network, significantly complicating detection protocols.
Core Malicious Behaviors
Upon the execution of the Efimer script, it installs a trojan component designed to hijack users’ cryptocurrency wallet addresses, replacing them with the attackers’ own. This capability enables the malware to capture screenshots and execute additional commands received from the C2 server.
Kaspersky’s investigation has also revealed an evolved version of Efimer. This upgraded Trojan not only maintains clipper functionalities but also integrates anti-VM features. It actively scans popular web browsers for cryptocurrency wallet extensions, exfiltrating this data back to the C2 server.
Impact and Implications
The Efimer campaign has already impacted thousands of users, predominantly in Brazil but also in other countries such as India, Spain, and the United States. While initially aimed at stealing and swapping cryptocurrency wallets, the Trojan’s versatility allows it to utilize additional scripts for broader malicious activities, further entrenching its presence in vulnerable digital ecosystems.
The dual threats of sophisticated phishing campaigns and advanced malware underscore the growing challenges in cybersecurity. As Brazilian citizens and organizations grapple with these evolving threats, heightened awareness and vigilance remain critical in safeguarding personal and financial information against such nefarious tactics.
