Kaspersky Security Network reported on August 8 that between October 2024 and July 2025, over 5,000 individual and corporate users became victims of a Trojan named Efimer, with Brazil being the most affected, suffering around 1,500 users. Other affected countries include India, Spain, Russia, Italy, and Germany.

Kaspersky found that malicious attack activities targeting corporate users are rapidly spreading, with criminal organizations using the Efimer Trojan virus to carry out attacks. Efimer is a Trojan designed to steal and replace cryptocurrency wallet addresses.

The initial version of Efimer appeared in October 2024, initially spreading only through infected WordPress websites. However, in June 2025, the Efimer software began spreading through phishing emails. Attackers disguised themselves as law firms, sending emails threatening recipients with lawsuits for alleged domain patent infringements, tricking them into downloading malware.

This method allows Efimer to establish its own malicious infrastructure, continuously invading user devices to carry out further criminal activities.

Phishing emails claim user infringement

Kaspersky analyzes that these phishing emails often disguise themselves as legal notices from law firms, claiming that recipients are infringing on domain patents, and then threaten to sue the victims. The emails typically contain a compressed file or a downloadable link that, when opened, triggers the installation process of Efimer.

Examples of phishing emails are as follows:

Subject: Legal Notice Regarding Your Company's Domain Patent Infringement Dear Recipient: Our legal team has identified that the domain name your company is using is suspected of infringing on our client's patent rights. If you do not respond and take action within 48 hours, we will have no choice but to formally file a lawsuit in court. Please refer to the attached document for details of the case and next steps. XX Law Firm

Kaspersky points out that the danger of Efimer lies in its different dissemination strategies; individual users may be lured into downloading disguised torrent files of popular movies, while corporate users are targeted through scam emails containing legal threats. In either case, users are threatened to actively download and execute malicious files before triggering.

How does the Efimer Trojan work?

Once the Efimer Trojan enters the system, it will perform the following malicious actions:

  1. Steal and replace cryptocurrency wallet addresses, continuously monitor clipboard content, and once it detects strings that match cryptocurrency address formats, immediately replace them with addresses controlled by the attacker.

  2. Persistence mechanism: Register an account in the system startup items to ensure it runs automatically each time the system boots.

  3. Anti-analysis techniques: Use obfuscated code and virtual machine detection to avoid reverse engineering by security researchers.

  4. Continuous infrastructure expansion: Attempt to download and install other modules to extend functionality and continue infecting more systems.

Kaspersky warns that Efimer poses a direct financial threat not only to cryptocurrency holders but may also be a precursor to subsequent high-level attacks (such as ransomware or corporate espionage).

Kaspersky's security recommendations for preventing Efimer and similar threats

Kaspersky calls for action:

  • Avoid downloading torrent files from unknown or untrusted sources.

  • Verify the identity of the sender when receiving emails and keep your antivirus database updated.

  • Do not click on links and attachments in suspicious or spam emails.

  • Regularly update software, use strong passwords and two-factor authentication, and continuously monitor for abnormal activities. Install trusted security solutions to automatically intercept threats.

  • Developers and website administrators should strengthen infrastructure security to prevent unauthorized access and the spread of malware.

  • This article is authorized for reprint from: (Chain News)

  • Original title: (Kaspersky's latest report reveals: Phishing emails disguised as lawyer notifications carry the Efimer virus to steal cryptocurrency)

  • Original author: DW

‘Another phishing attempt! Kaspersky: Lawyer notification emails carry virus files, be careful of cryptocurrency theft’ This article was first published in ‘Crypto City’