Cybersecurity researchers are turning their attention to new campaigns using website building tools using legitimately generated artificial intelligence (AI) to create replica phishing pages that mimic Brazilian government agencies as part of a financially motivated campaign.
This activity includes creating sites that look like those that mimic the Brazilian Ministry of State Transport and Education. This will ensure that unsuspecting users make unfair payments through the country’s PIX payment system, Zscaler Threatlabz said.
These scam sites are artificially augmented using search engine optimization (SEO) addiction technology to improve your vision, which increases the chances of successful attacks.
“Source code analysis reveals signatures of generative AI tools, including overly explanatory comments to guide developers, non-functional elements that normally work on real websites, and trends such as Tailwindcss styling that are different from traditional phishing kits used by threat actors.
The ultimate goal of the attack is to provide fake forms that collect sensitive personal information, such as the number of Cadastro de Pessoas físicas (CPFs), Brazilian taxpayer identification numbers, and residential addresses.
To further improve the legitimacy of the campaign, phishing pages are designed to employ step-by-step data collection by gradually requesting additional information from victims and reflecting the behavior of real websites. The collected CPF numbers are also validated in the backend by APIs created by threat actors.
“The API domains identified during the analysis are registered by threat actors,” Zscaler said. “The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.”
That said, the company noted that attackers could use information to increase the reliability of phishing attempts by obtaining CPF counts and user details through data breaches, or leveraging publicly available APIs using authentication keys.
“These phishing campaigns are currently stealing relatively little money from victims, but using similar attacks can cause much more damage,” Zscaler said.
Mass mailing campaigns will distribute Efimer Trojans to steal codes
Brazil provided a malicious script called Efimer and also became the focus of a malspam campaign in which it impersonates lawyers for major companies to steal victims’ cryptocurrencies. Russian cybersecurity company Kaspersky detected a massware campaign in June 2025, saying early repetition of malware dates back to October 2024 and spread through infected WordPress websites.
“These emails mistakenly claimed that the recipient’s domain name was violated by the sender’s rights,” said researchers Vladimir Gursky and Artem Ushkov. “This script also includes additional features that help attackers spread even further by breaching their WordPress site and hosting malicious files, among other techniques.”
In addition to propagating through compromised WordPress sites and email, Efimer also utilizes malicious torrents as distribution vectors while communicating with command and control (C2) servers over the TOR network. Additionally, malware can extend functionality with brute force passwords on WordPress sites and additional scripts that allow you to harvest email addresses from websites designated for future email campaigns.
“Script receives domains [from the C2 server] And then repeat each and find the hyperlink and email address on the website page,” Kaspersky said. It also says it will serve as a spam module designed to fill out contact forms on target websites.
In the attack chain documented by Kaspersky, emails are equipped with a ZIP archive that contains another password-protected archive that contains an empty file with a name that specifies the password to open the password. Inside the second zip file is a malicious Windows Script File (WSF) that infects the machine with Efimer upon startup.
At the same time, the victim will receive an error message indicating that the document cannot be opened on the device as a distraction mechanism. In fact, the WSF script saves two other files, “Controll.js” (the Trojan component) and “Controller.xml”, using the configuration extracted from “Controller.xml”, and creates a scheduled task on the host.
“controller.js” is clipper malware designed to replace cryptocurrency wallets using wallet addresses under attacker control. You can also capture and run additional payloads received from the C2 server by installing the TOR proxy client on an infected computer and connecting over the TOR network.
Kaspersky also incorporates a web browser with anti-VM features like Google Chrome along with the Clipper feature, and also discovered a second version of Efimer that scans Cryptocurrency Wallet Extensions related to atoms, electricity, and escape, and excludes results from searches that return to C2 servers.
The campaign is estimated to have affected 5,015 users based on telemetry, with the majority of infections concentrated in Brazil, India, Spain, Russia, Italy, Germany, the UK, Canada, France and Portugal.
“The main goal is to steal and exchange cryptocurrency wallets, but you can also leverage additional scripts to compromise your WordPress site and distribute spam,” the researcher said. “This allows us to establish a fully malicious infrastructure and spread it to new devices.”
“Another interesting feature of this Trojan horse is its attempt to propagate both individual users and the corporate environment. In the first case, it is said that the attacker will use torrent files as bait and download popular films.
Source link
