Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Efimer Trojan malware activity spreading via WordPress, email, and torrents

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The Efimer Trojan is spreading through infected WordPress sites, email, and malicious torrents while stealing cryptocurrency and widening its infection base. It routes command-and-control traffic through TOR and uses a WSF-based infection chain that drops controller.js and controller.xml on the host. The payload can swap wallet addresses, capture screenshots, and fetch additional instructions or scripts from C2. Telemetry tied the activity to 5,015 users across Brazil and multiple other countries, indicating a broad cross-border footprint.

Timeline

  1. 08.08.2025 19:14 1 articles · 9mo ago

    Efimer Trojan campaign spreads through WordPress, email, and torrents

    Technical Analysis Update

    A Brazil-focused Efimer Trojan campaign used compromised WordPress sites, email attachments, and malicious torrents to distribute a WSF-based infection chain that dropped controller.js and controller.xml, routed command-and-control traffic through TOR, replaced copied cryptocurrency wallet addresses, captured screenshots, and scanned Google Chrome and Brave for wallet extensions. Telemetry tied the activity to 5,015 affected users across Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

    Show sources
    Open in new tab