Kaspersky warns of rising Efimer trojan attacks on crypto users

Image: Getty Images

Kaspersky Security Network has reported that between October 2024 and July 2025, more than 5,000 users — including both individuals and organisations — were targeted by the Efimer trojan, a malicious program designed to steal and replace cryptocurrency wallet addresses. The campaign was particularly damaging in Brazil, which saw approximately 1,500 victims, but also impacted users in India, Spain, Russia, Italy, and Germany.

Initially detected in October 2024, early versions of Efimer were spread through compromised WordPress websites. By June 2025, attackers had expanded their methods, distributing the malware via phishing emails. These emails, disguised as correspondence from a legal firm, threatened recipients with lawsuits over alleged domain name patent violations to pressure them into downloading malicious files.

“This Trojan is notable for its dual approach to spreading — targeting both individual users and corporate environments with different tactics. For private users, attackers use torrent files pretending to be popular movies to lure victims, while in corporate settings, they rely on fraudulent emails containing legal threats. Crucially, in both cases, compromise only occurs if the user actively downloads and executes the malicious file,” explained Artyom Ushkov, threat researcher at Kaspersky.

Read: New Kaspersky module targets voice phishing

Kaspersky advises both corporate and individual users to avoid downloading torrent files from unverified sources, verify the legitimacy of email senders, and keep antivirus databases up to date. Users should also refrain from clicking on links or opening attachments in unsolicited emails, ensure software is regularly updated, enforce strong passwords and two-factor authentication, and continuously monitor for potential compromises. Installing a trusted security solution and following its recommendations can automatically mitigate most threats.

For developers and website administrators, Kaspersky recommends implementing strong security measures to prevent unauthorised access and stop malware from propagating through their infrastructure.

The full report is available on Securelist.com.