Efimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing

Kaspersky reports Efimer Trojan infecting thousands, swapping crypto wallets, brute-forcing sites, and spreading through torrents and phishing.

Cybercriminals are getting more creative with their scams, and the latest example comes from a malware operation known as Efimer. First spotted by Kaspersky in October 2024 and still active and spreading in 2025, the Trojan has been stealing cryptocurrency, spreading through hacked WordPress sites, torrents and targeted phishing emails.

Phishing Emails Posing as Legal Notices

The phishing emails in the most recent campaign pretend to come from lawyers at a large company, warning recipients that their domain name violates trademarks. The message threatens legal action but offers to buy the domain instead.

Victims are then prompted to open an attachment for “details,” which actually contains a multi-stage script. This script drops the Efimer trojan and disguises its activity with fake error messages, so users think nothing happened.