Kaspersky Exposes Efimer Trojan: Crypto-Address Hijacker Targeting Organizations via Phishing

Kaspersky's telemetry reveals a fast-growing campaign in which a malware family known as Efimer has been used to harvest and silently replace cryptocurrency wallet addresses. Between October 2024 and July 2025, the vendor's telemetry shows over 5,000 compromised users — both individuals and corporate accounts — with a particularly heavy impact in Brazil (roughly 1,500 victims). Other affected countries include India, Spain, Russia, Italy and Germany.

From compromised sites to targeted phishing: how Efimer evolved

Early variants of Efimer were first observed in October 2024 and distributed via compromised WordPress sites and pirated software bundles. In mid-2025 the attackers shifted tactics: campaigns began using convincing phishing emails aimed at corporate recipients. Messages impersonating law firms warned of alleged domain-name patent violations and threatened legal action — social-engineering lures carefully crafted to push recipients into downloading a malicious attachment or archive.

This two-pronged distribution model — torrents and compromised websites for consumers, and bespoke phishing for companies — lets the threat actors build a persistent infrastructure while targeting different environments with tailored bait.

What Efimer does: wallet substitution and stealthy persistence

Efimer's primary goal is financial theft. Once executed, it monitors clipboard operations, web form submissions and certain browser activities to detect when a user copies or visits a cryptocurrency address. When a match is found, the malware silently replaces the victim's wallet address with the attacker-controlled address — a classic "wallet-address hijack" technique that turns routine transfers into theft without raising immediate suspicion.

Beyond clipboard hijacking, more advanced Efimer builds may inject into browser processes, add malicious browser extensions, or alter local files used by desktop wallets. The malware also establishes command-and-control (C2) channels to receive updates and additional payloads, enabling the operators to expand functionality or pivot to other fraud types.

Indicators of compromise and forensic signals

Organizations investigating potential Efimer infections should look for these signals: unexpected processes spawned from Office apps or archival utilities, suspicious PowerShell or Wscript execution, newly installed browser extensions that the user did not authorize, and outbound connections to anomalous domains or IPs tied to C2 infrastructure. Kaspersky's report includes IOCs and samples that security teams can cross-check against logs.

On host-level forensics, examine clipboard-manipulation APIs usage, modifications to hosts or proxy settings, and recent changes in browser settings or certificates. Endpoint detection platforms with behavioral telemetry are more likely to spot the subtle address-replacement activity than signature-only scanners.

Scale and geography: who is being targeted

While consumer-targeted distribution via torrents and compromised downloads remains a vector, the June 2025 pivot toward legally-themed phishing shows clear intent to infiltrate corporate environments. Kaspersky's dataset highlights Brazil as the most impacted market to date, but notable numbers of victims also appeared in India, Spain, Russia, Italy, and Germany. This geographic spread suggests both opportunistic and regionally tailored campaigns.

Why enterprises are attractive targets

Companies often hold larger balances or have staff responsible for high-value transfers, making them lucrative targets. Additionally, corporate workflows sometimes rely on shared storage, scripts, or automated transfer processes that — if compromised — can amplify the attackers' ability to intercept multiple transactions. Attackers also prey on legal and administrative anxieties: a threatening email from a faux law firm increases the chance a user will bypass normal safeguards.

Practical mitigation steps for organizations

Kaspersky recommends several defenses that every organization should implement immediately:

• Harden email gateways with robust phishing filters, URL rewriting and attachment sandboxing to block malicious downloads.
• Enforce strong endpoint protection that combines signatures with behavioral detection; enable automatic threat database updates.
• Disable macro execution and script interpreters (where feasible), and use application allow-listing to reduce risky execution paths.
• Require multi-factor authentication and segregate accounts that can initiate financial transactions; apply the principle of least privilege.
• Train staff to treat legal-threat emails cautiously: validate sender identities via separate channels and avoid executing attachments from unexpected notices.
• Monitor outgoing transactions and implement pre-transfer checks (manual sign-off or out-of-band confirmation) for cryptocurrency transfers above predefined thresholds.

Developer and web-admin responsibilities

The campaign's initial reliance on compromised WordPress sites underscores the need for secure web practices. Site owners should patch platforms and plugins promptly, enforce multi-factor authentication on admin accounts, use WAFs (Web Application Firewalls), and monitor file integrity. Preventing site compromise stops a common distribution path used by Efimer and countless other threats.

Response and recovery: if you're affected

If compromise is suspected, isolate the affected endpoints immediately and preserve volatile data for analysis. Reset any credentials that might have been exposed, revoke tokens, and trace outbound transfers to determine if funds were diverted. Where possible, contact exchange partners and payment processors to flag suspicious incoming transfers. Finally, share IOCs with trusted information-sharing groups to help others defend against the same infrastructure.

Closing notes

Efimer exemplifies the evolving intersection of social engineering and financially motivated malware design. Its clipboard- and browser-based wallet-substitution techniques are deceptively simple but highly effective — and now increasingly focused on organizations as well as individuals. Defense requires a combined approach: people-awareness, hardened endpoints, secure web infrastructure and rigorous transaction controls. Organizations that strengthen each of these layers will severely limit the effectiveness of campaigns like Efimer.

For full technical details, IOCs and vendor guidance, consult Kaspersky's report on Securelist.com and coordinate with your security vendor to deploy the latest protections and detection signatures.