Date: 08/21/2025
Severity: High
Summary
A widespread cybercrime campaign is distributing the Efimer Trojan, a stealthy malware designed to steal cryptocurrency through phishing emails, compromised WordPress websites, and fake torrent downloads. The phishing emails, posing as legal threats from prominent law firms, accuse recipients of domain trademark violations to trick them into opening infected attachments. Once deployed, Efimer monitors clipboard activity to replace wallet addresses, extract recovery phrases, and communicate covertly via the Tor network. In addition to phishing, the attackers use brute-force methods to access WordPress admin panels, host malicious files and collect email addresses for future spam campaigns. Their primary targets include cryptocurrency users, website administrators, and unsuspecting downloaders.
Indicators of Compromise (IOC) List
Domains\URLs : | https://lovetahq.com/sinners-2025-torent-file/ https://lovetahq.com/wpcontent/uploads/2025/04/movie_39055_xmpg.zip http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion |
Hash : |
39fa36b9bfcf6fd4388eb586e2798d1a
5ba59f9e6431017277db39ed5994d363
442ab067bf78067f5db5d515897db15c
16057e720be5f29e5b02061520068101
627dc31da795b9ab4b8de8ee58fbf952
0f5404aa252f28c61b08390d52b7a054
Eb54c2ff2f62da5d2295ab96eb8d8843
100620a913f0e0a538b115dbace78589
B405a61195aa82a37dc1cca0b0e7d6c1
5d132fb6ec6fac12f01687f2c0375353
006C397EC5B65E0C646598EE6014813FF601802D927FB90571E5AD1204D7F70F
787797BFBF690D05DB8A796E3CA948578FB9BA7189D9F9BC53D99FB5EA626BB7
DC4FD2E5604D12AE4F8444E6429DC3EB6CB592214A8E998D9C76B810B102C3F8
6199960F2EC96D4851E4F36D5A5095922E422E3B4265BDB537CCDBB8D44AC8DC
C77FCF134A8D81B3FC329EB767D62C997708D6FEDB2D33898F79184F22D542A5
75102507763CE008917613F11EC3301F59F0F0115799DC9AD1BE147D9E69584E
1569FA17748B501121EADCDF64723A448B21839B8922FD6E2C176F1ED8D6B0AA
32709EFBF41289FF2BE8D34A1067AD70B6AC1D9BC05384285C41545C22ED7DF7 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | domainname like "http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion" or url like "http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion" or siteurl like "http://he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion" or domainname like "http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion" or url like "http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion" or siteurl like "http://cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion" or domainname like "https://lovetahq.com/sinners-2025-torent-file/" or url like "https://lovetahq.com/sinners-2025-torent-file/" or siteurl like "https://lovetahq.com/sinners-2025-torent-file/" or domainname like "https://lovetahq.com/wpcontent/uploads/2025/04/movie_39055_xmpg.zip" or url like "https://lovetahq.com/wpcontent/uploads/2025/04/movie_39055_xmpg.zip" or siteurl like "https://lovetahq.com/wpcontent/uploads/2025/04/movie_39055_xmpg.zip" |
Hash 1 : |
sha256hash IN ("DC4FD2E5604D12AE4F8444E6429DC3EB6CB592214A8E998D9C76B810B102C3F8","32709EFBF41289FF2BE8D34A1067AD70B6AC1D9BC05384285C41545C22ED7DF7","1569FA17748B501121EADCDF64723A448B21839B8922FD6E2C176F1ED8D6B0AA","006C397EC5B65E0C646598EE6014813FF601802D927FB90571E5AD1204D7F70F","C77FCF134A8D81B3FC329EB767D62C997708D6FEDB2D33898F79184F22D542A5","787797BFBF690D05DB8A796E3CA948578FB9BA7189D9F9BC53D99FB5EA626BB7","6199960F2EC96D4851E4F36D5A5095922E422E3B4265BDB537CCDBB8D44AC8DC","75102507763CE008917613F11EC3301F59F0F0115799DC9AD1BE147D9E69584E") |
Hash 2 : |
md5hash IN ("627dc31da795b9ab4b8de8ee58fbf952","39fa36b9bfcf6fd4388eb586e2798d1a","442ab067bf78067f5db5d515897db15c","16057e720be5f29e5b02061520068101","Eb54c2ff2f62da5d2295ab96eb8d8843","0f5404aa252f28c61b08390d52b7a054","100620a913f0e0a538b115dbace78589","B405a61195aa82a37dc1cca0b0e7d6c1","5d132fb6ec6fac12f01687f2c0375353") |
Reference:
https://hivepro.com/threat-advisory/efimer-trojan-from-fake-lawsuits-to-crypto-heists/?utm_sr=google&utm_cmd=organic&utm_ccn=(not%20set)&utm_ctr=(not%20provided)