Cybersecurity experts have uncovered a sophisticated phishing campaign in Brazil that exploits legitimate generative AI website-building platforms, including DeepSite AI and BlackBox AI, to create convincing clones of government websites.

According to Zscaler ThreatLabz, the attackers are imitating portals from Brazil’s State Department of Traffic and Ministry of Education, luring victims into making fraudulent payments via the country’s PIX instant payment system.

To amplify visibility, the malicious websites leverage search engine optimization (SEO) poisoning, ensuring they appear prominently in search results and attract more unsuspecting visitors.

Analysis of the source code revealed clear markers of AI-generated design, such as overly descriptive developer comments, non-functional features mimicking legitimate site elements, and styling approaches like TailwindCSS, which differ from typical phishing kits.

Data Theft and Payment Fraud

The ultimate goal is to collect sensitive personal data — including CPF numbers (Brazilian taxpayer IDs), home addresses, and other identifiers — and coerce victims into a one-time PIX payment of 87.40 reals (around $16). These charges are disguised as requirements for psychometric or medical exams, or even as part of a job application process.

To enhance credibility, the phishing sites request information in stages, closely mirroring the flow of real government services. The stolen CPF numbers are validated on the backend via an API controlled by the threat actors, which can pull associated data and auto-fill the phishing forms with authentic details.

Zscaler noted that attackers may have obtained these CPF records through previous data breaches or exposed APIs, further increasing the realism of their schemes. While the immediate monetary losses per victim are small, researchers warn that similar techniques could be scaled for far more damaging campaigns.

Efimer Trojan Spreads via Malspam to Steal Cryptocurrency

Brazil has also been hit by a widespread malspam operation distributing the Efimer Trojan, a malware strain aimed at stealing cryptocurrency wallets.

First detected by Kaspersky in June 2025, with early versions dating back to October 2024, Efimer is spread through compromised WordPress sites, malicious torrents, and phishing emails.

The email lure impersonates legal notices from corporate lawyers, alleging domain name infringement. Attached ZIP archives conceal a Windows Script File (WSF) payload, which installs Efimer while displaying a fake error message to distract the user.

Once active, Efimer deploys two files — controller.js and controller.xml — and sets up a scheduled task for persistence. The primary function of controller.js is clipboard hijacking, replacing copied crypto wallet addresses with attacker-controlled ones. It can also take screenshots, download additional malware, and connect to a TOR-based command-and-control (C2) infrastructure.

A newer variant adds anti-virtual machine checks and scans browsers like Chrome and Brave for popular crypto wallet extensions, including Atomic, Electrum, and Exodus, exfiltrating the findings to the C2 server.

Global Reach

Kaspersky estimates the campaign has affected at least 5,015 users worldwide, with infections concentrated in Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal.

Beyond cryptocurrency theft, Efimer can brute-force WordPress credentials, harvest email addresses, and send spam, enabling attackers to build a complete malicious infrastructure capable of spreading further.

Interestingly, the malware targets both individuals and corporate networks — using pirated movie torrents to bait home users and fake legal claims to trick businesses.

Source: https://thehackernews.com/2025/08/ai-tools-fuel-brazilian-phishing-scam.html