Trojan.Scavenger Disguises Itself as Game Cheats and Mods

📟 News

Date: 24/07/2025

Experts at Dr.Web reported on the Trojan.Scavenger malware family, which attackers use to steal data from cryptocurrency wallets and password managers on Windows users. Legitimate applications are used to launch the malware, and vulnerabilities related to DLL Search Order Hijacking are exploited.

In their report, researchers remind us that in 2024 they discovered an attempt to conduct a targeted attack on a Russian freight railway operator. At that time, the attackers exploited a vulnerability in the “Yandex Browser” related to DLL search order hijacking.

The issue lies in the way Windows applications search for necessary libraries upon launching. They look for these libraries in various locations and in a specific order. Attackers exploit this by placing malicious DLL files in locations where the search will occur first (for instance, in the installation directory of the targeted software). These malicious files are given the names of legitimate libraries, which are located in directories with lower search priority. As a result, vulnerable programs load the malicious DLLs first.

After studying the 2024 incident, experts implemented functionality into Dr.Web antivirus products that allows for monitoring and preventing the exploitation attempts of such vulnerabilities.

Now, while studying the telemetry of this function, analysts discovered attempts to download a previously unknown malware, Trojan.Scavenger, into several client browsers. As a result, two infection chains with different numbers of involved Trojan components were identified.

In a chain of three loaders, the starting component is Trojan.Scavenger.1, which is a DLL. This malware can be distributed as part of pirated games or disguised as various game patches, cheats, and mods through torrents and gaming-related websites. Yes

When the malware disguises itself as a patch, Trojan.Scavenger.1 spreads as a ZIP archive along with installation instructions. In these instructions, attackers encourage the potential victim to place the “patch” in the directory of the game Oblivion Remastered — supposedly to enhance its performance.

Drag umpdc.dll and engine.ini to the game folder:

\steamapps\common\Oblivion Remastered\OblivionRemastered\Binaries\Win64

Engine.ini will automatically be loaded by the module.

The module will also apply some native patches to improve performance

The name of the malicious file was not chosen at random: in Windows, a legitimate file named umpdc.dll is located in the system directory %WINDIR%\System32. It is part of the graphics API used by various applications and games.

If the installed version of the game on the victim’s device has an unpatched vulnerability, the copied malicious file will automatically launch alongside it.

It is noted that the version of the game Oblivion Remastered, current at the time of the study, correctly handled the search sequence for the library umpdc.dll. Therefore, in this particular instance, Trojan.Scavenger.1 could not automatically launch and continue the infection chain.

Upon success, the trojan downloads from a remote server and launches the next stage of the attack — the loader Trojan.Scavenger.2 (tmp6FC15.dll). This loader, in turn, downloads and installs other modules of the family into the system — Trojan.Scavenger.3 and Trojan.Scavenger.4.

Trojan.Scavenger.3 disguises itself as version.dll, which is copied into the directory of one of the targeted Chromium-based browsers. The DLL has the same name as one of the system libraries in the %WINDIR%\System32 directory.

Browsers vulnerable to DLL search order hijacking do not verify the source of the library being loaded with a given name. Since the trojan file is located in their directory, it takes precedence over the legitimate library and loads first.

Attempts to exploit this vulnerability have been recorded in Google Chrome, Microsoft Edge, Yandex Browser, and Opera.

Once launched, Trojan.Scavenger.3 disables protective mechanisms of the target browser (for example, deactivating its sandbox), resulting in the disappearance of isolation for executing JS code. Additionally, the trojan disables extension verification in the browser. It identifies the relevant Chromium library by the presence of the exported function CrashForExceptionInNonABICompliantCodeRange. The malware then searches for the extension verification procedure in this library and applies the corresponding patch.

After that, the malware modifies the targeted extensions installed in the browser, receiving the necessary modifications in the form of JavaScript code from a control server. The affected extensions include the cryptocurrency wallets Phantom, Slush, and MetaMask, as well as the password managers Bitwarden and LastPass.

In this case, it is not the originals that are modified, but copies, which the trojan initially places in the %TEMP%/ServiceWorkerCache directory. To ensure the browser “picks up” the modified extensions, the malware intercepts the functions CreateFileW and GetFileAttributesExW, substituting the local paths to the original files with paths to the modifications (referred to as Trojan.Scavenger.5).

The modifications themselves are available in two versions:

  • a timestamp is added to the cookie;
  • user data is sent to the command server.

From cryptocurrency wallets such as Phantom, Slush, and MetaMask, attackers steal private keys and seed phrases. From the Bitwarden password manager, they pilfer authorization cookies, while from LastPass, they steal passwords added by the victims.

In turn, Trojan.Scavenger.4 (profapi.dll) is copied into the directory of the Exodus cryptocurrency wallet application. The malware launches automatically with the program, exploiting a vulnerability known as DLL Search Order Hijacking (the legitimate system library profapi.dll is located in %WINDIR%\System32, but due to the vulnerability, the load priority at wallet startup is given to the malicious file).

Once launched, Trojan.Scavenger.4 intercepts the v8::String::NewFromUtf8 function in the V8 engine used for JavaScript and WebAssembly. With this capability, the malware tracks JSON data generated by the target application and can obtain various user data.

In the case of Exodus, the trojan searches for a JSON file containing the key passphrase, and then reads its value. As a result, it obtains the user’s mnemonic phrase, which can be used to decrypt or generate the private key for the victim’s cryptocurrency wallet. Next, the trojan locates the private key seed.seco from the cryptocurrency wallet, reads it, and sends it along with the previously obtained mnemonic phrase to the hackers’ server.

Researchers also examined a chain consisting of two downloaders. It is almost identical to the first one, however, in the distributed archives with “patches” and “cheats” for games, instead of Trojan.Scavenger.1, there is a modified version of Trojan.Scavenger.2, presented not as a DLL file but as a file with an .ASI extension. Essentially, this is a DLL with a changed extension.

Once the user copies the file into the specified directory, it will automatically launch with the start of the target game, which will perceive it as its own plugin. From this point, the infection chain repeats the steps from the first variant.

Experts report that most trojans in the family share a number of common characteristics. One of these is a standard procedure for checking the environment to determine if it is running in a virtual environment or in debug mode. If the malware detects signs of an artificial environment, it terminates its operation.

Another distinguishing feature of the Trojan.Scavenger family is its unified algorithm for communicating with the command and control server. To establish communication, the trojans undergo a process of key creation and encryption verification.

The process consists of sending two requests. The first is necessary to obtain a part of the key, which is used to encrypt certain parameters and data in specific requests. The second is performed to verify the key and contains certain parameters, such as a randomly generated string, the current time, and an encrypted value of the time. The command server responds to it with the previously received string. All subsequent requests include time parameters, and in their absence, the server refuses to establish a connection.

Related posts:
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →