A sophisticated malware campaign dubbed \u201cEfimer\u201d has emerged as a significant threat to cryptocurrency users worldwide, employing a multi-vector approach that combines compromised WordPress websites, malicious torrents, and deceptive email campaigns.<\/p>\n
First detected in October 2024, this ClipBanker-type Trojan has evolved from a simple cryptocurrency stealer into a comprehensive malicious infrastructure capable of self-propagation and widespread distribution.<\/p>\n
The malware\u2019s name derives from a comment found within its decrypted script, and its primary objective centers on cryptocurrency theft through clipboard manipulation.<\/p>\n
When users copy cryptocurrency wallet<\/a> addresses, Efimer silently replaces them with attacker-controlled addresses, effectively hijacking transactions.<\/p>\n Beyond its core functionality, the malware<\/a> demonstrates remarkable versatility by incorporating additional modules for WordPress site compromise, email address harvesting, and spam distribution.<\/p>\n Securelist analysts identified<\/a> that Efimer has impacted over 5,000 users across multiple countries, with Brazil experiencing the highest concentration of attacks affecting 1,476 users.<\/p>\n The malware\u2019s reach extends across India, Spain, Russia, Italy, and Germany, indicating a global threat landscape.<\/p>\n What distinguishes Efimer from conventional malware is its ability to establish complete malicious infrastructure, enabling sustained attacks and continuous expansion of its victim base.<\/p>\n The attack vectors demonstrate sophisticated social engineering<\/a> techniques. Email campaigns impersonate lawyers from major companies, falsely claiming domain name trademark infringement and threatening legal action unless recipients change their domain names.<\/p>\n These emails contain password-protected ZIP archives with names like \u201cDemand_984175.zip\u201d containing malicious WSF files.<\/p>\n Simultaneously, attackers compromise WordPress sites to post fake movie torrents, particularly targeting popular releases like \u201cSinners 2025,\u201d which contain executable files masquerading as media players.<\/p>\n The infection process begins when victims execute the malicious WSF or EXE files, triggering a complex multi-stage deployment.<\/p>\n Upon execution, Efimer first checks for administrator privileges by attempting to write to a temporary file at If successful, the malware adds exclusions to Windows Defender<\/a> for the The malware establishes persistence through different methods depending on user privileges. For privileged users, it creates a scheduled task using a controller.xml configuration file, while limited users receive registry entries in The core payload, controller.js, operates as the primary Trojan component, continuously monitoring clipboard contents every 500 milliseconds while implementing sophisticated evasion techniques, including immediate termination if Task Manager is detected running.<\/p>\n Efimer\u2019s communication infrastructure relies on the Tor network, downloading the Tor proxy service from multiple hardcoded URLs hosted on compromised WordPress sites.<\/p>\n The malware generates unique GUIDs following the format \u201cvs1a-\u201d for victim identification and maintains communication with command-and-control servers at intervals of 30 minutes to avoid detection while ensuring persistent connectivity.<\/p>\n Equip your SOC with full access to the latest threat data from\u00a0ANY.RUN TI Lookup<\/strong>\u00a0that can Improve incident response ->\u00a0Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post Huge Wave of Malicious Efimer Malicious Script Attack Users via WordPress Sites, Malicious Torrents, and Email<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJqQxUKsglwCQor0Dg5uepdh4sJe94tGgXPTzk_QD8WYPkcOuoDv6bRd9bj4DfEzVIkv7p2qK0cJ4HSCKaLAMh82-QSa5naaUMptgDVrmbvfc0G0e3ytgyCLuP3WIc9MBad5A14iFMwZqjnZ5eZllnlDRST8NuXixNNi_ssAraTZdeQL4QlqDJjobRWy8\/s16000\/Spam%2520email%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEirZC-BZt2W9FWxT3TOTOyV5-ug4k96geB8LAn7V4zQa0FCmOpYuKrEoJc5Z_hPyljU7WpVBh7yMjzSuwCA2IXolG8-K57QzjuYMt_5Ebj0tFFNbs3G7EYwFgKGwOm2mACyIHlxMn5VLOiOMjDCczpVsMLkWyUccPy_44lKBVLcSKk53dtAmJGJrQ09CZg\/s16000\/The%2520p_timer%2520variable%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
Technical Infection Mechanism and Persistence<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjDZ8p43Y0JUr-SDsIp1Xc7aSJPwcAPbX1XMnn-KJDDUHLYN92bUFJKZsZAEE83xbCeT5obOCOJ5qE7RTbf5lMUqy4ks0XvkN7rHOt2VboLEbpsSJ4kTg6b7-dtmrX1eyailMVBY1tAci7b2CjjhJX_Z0AF0G-qEE-8mCf_b6wsPFO4m1QJfYhqM_SrjPk\/s16000\/The%2520script%25E2%2580%2599s%2520operation%2520cycle%2520involves%2520both%2520the%2520brute-force%2520code%2520and%2520the%2520handler%2520for%2520its%2520core%2520logic%2520%28Source%2520-%2520Securelist%29.webp?ssl=1\")
C:WindowsSystem32wsf_admin_test.tmp<\/code>.<\/p>\nC:UsersPubliccontroller<\/code> folder and system processes including cmd.exe<\/code> and the WSF script itself.<\/p>\nHKCUSoftwareMicrosoftWindowsCurrentVersionRuncontroller<\/code>.<\/p>\n