{ "id": "fe160156-41a6-4491-9202-b970fa5c4df8", "created_at": "2026-04-06T00:07:54.651684Z", "updated_at": "2026-04-10T13:12:16.249273Z", "deleted_at": null, "sha1_hash": "ef234c465545a072651ce55d13200f5601360f19", "title": "Gamers, get ready: scammers disguise cryptocurrency and password-stealing Scavenger trojans as cheats and mods", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58914, "plain_text": "Gamers, get ready: scammers disguise cryptocurrency and\r\npassword-stealing Scavenger trojans as cheats and mods\r\nPublished: 2025-07-24 · Archived: 2026-04-05 13:34:45 UTC\r\nJuly 24, 2025\r\nDoctor Web’s virus laboratory has detected Trojan.Scavenger—a family of malicious apps that threat\r\nactors use to steal confidential data from crypto wallets and password managers from Windows users.\r\nThreat actors chain together several trojans from this family, exploiting DLL Search Order Hijacking\r\nvulnerabilities to execute their payloads and exfiltrate data.\r\nIntroduction\r\nIn 2024, the company Doctor Web investigated an information security incident, involving an attempt to carry out\r\na targeted attack on a Russian enterprise. The attack’s scheme included using malware that exploited the DLL\r\nSearch Order Hijacking vulnerability in a popular web browser. When Windows applications launch, they search\r\n—in different locations and in a certain sequence—for all the libraries they need to operate properly. To “trick” the\r\napps, attackers place malicious DLL files where they will be searched for first, such as in the installation directory\r\nof the target software. At the same time, the threat actors give their trojan files the names of legitimate libraries\r\nlocated in directories that have a lesser search priority. As a result, when launched, vulnerable apps will load\r\nmalicious DLL files first. These trojan libraries operate as part of the apps and get the same permissions.\r\nFollowing the incident in question, our specialists implemented functionality in Dr.Web anti-virus products that\r\nmake it possible to track and prevent attempts to exploit DLL Search Order Hijacking vulnerabilities. While\r\nanalyzing the telemetry data of this feature, Doctor Web’s virus analysts detected attempts to download previously\r\nunknown malware into several browsers of our clients. Our investigation into these cases allowed us to uncover a\r\nnew hacker campaign, which is the subject of this article.\r\nTrojan.Scavenger malicious programs infect computers in several stages and an infection starts with downloader\r\ntrojans getting into the target systems in various ways. Our specialists detected two chains of this campaign with a\r\ndifferent number of trojan components involved.\r\nChain of three loaders\r\nIn this chain, the starting component is Trojan.Scavenger.1, malware representing a dynamic library (a DLL file).\r\nIt can be distributed via torrents and game-related sites either as part of pirated games or under the guise of\r\ndifferent patches, cheats, and mods. Next, we will look at an example where scammers passed off the trojan as a\r\npatch.\r\nTrojan.Scavenger.1 is distributed in a ZIP archive along with installation instructions in which fraudsters\r\nencourage their potential victim to place the “patch” into the Oblivion Remastered game directory—allegedly to\r\nimprove its performance:\r\nhttps://news.drweb.com/show/?i=15036\u0026lng=en\r\nPage 1 of 4\n\nDrag umpdc.dll and engine.ini to the game folder:\r\n\\steamapps\\common\\Oblivion Remastered\\OblivionRemastered\\Binaries\\Win64\r\n \r\nEngine.ini will automatically be loaded by the module.\r\nThe module will also apply some native patches to improve performance\r\nThe name of the malicious file was chosen by the attackers deliberately, as a legitimate file with the name\r\numpdc.dll is located in the Windows system directory %WINDIR%\\System32. It is part of a graphic API used by\r\nvarious programs, including games. If the victim’s version of the game has an unpatched vulnerability, the copied\r\ntrojan file will automatically be launched along with it. It is worth noting that the version of the Oblivion\r\nRemastered game, relevant at the time of the study, was correctly handling the library search order for the file\r\numpdc.dll; for this reason, in the example in question, Trojan.Scavenger.1 could not automatically start with the\r\ngame and continue the infection chain.\r\nWhen successfully launched, the trojan downloads from a remote server and launches the next stage, which is the\r\nmalicious downloader Trojan.Scavenger.2 (tmp6FC15.dll). In turn, this trojan downloads and installs other\r\nmodules from this family into the system—Trojan.Scavenger.3 and Trojan.Scavenger.4.\r\nTrojan.Scavenger.3 represents a dynamic library version.dll that is copied into the directory of one of the target\r\nbrowsers based on the Chromium engine. This file has the same name as one of the system libraries from the\r\ndirectory %WINDIR%\\System32. Browsers vulnerable to DLL Search Order Hijacking do not check where the\r\nlibrary with such a name is loaded from. And since the trojan file is located in their catalog, it has priority over the\r\nlegitimate system library and is loaded first. Our virus analysts detected attempts to exploit this vulnerability in\r\nthe browsers Google Chrome, Microsoft Edge, Yandex Browser, and Opera.\r\nWhen launched, Trojan.Scavenger.3 disables the target browser’s protective mechanisms, such as the mechanism\r\nthat launches its sandbox, causing the JavaScript code to be executed in the primary memory space. Moreover, the\r\ntrojan disables the verification of browser extensions. To do so, it determines where the corresponding Chromium\r\nlibrary is by the presence of the export function CrashForExceptionInNonABICompliantCodeRange in it. Next, it\r\nsearches for the extension verification procedure in this library and patches it.\r\nAfter that, the trojan modifies the target extensions installed in the browser, receiving necessary modifications in\r\nthe form of JavaScript code from the C2 server. The following extensions are being modified:\r\ncrypto wallets\r\nPhantom\r\nSlush\r\nMetaMask\r\npassword managers\r\nBitwarden\r\nLastPass\r\nIn this case, it is not the originals that are modified, but the copies that the trojan placed in the directory\r\n%TEMP%/ServiceWorkerCache in advance. And to make the browser “pick up” the modified extensions,\r\nhttps://news.drweb.com/show/?i=15036\u0026lng=en\r\nPage 2 of 4\n\nTrojan.Scavenger.3 hooks the functions CreateFileW and GetFileAttributesExW by substituting the local paths to\r\nthe original files with paths to the modifications (Dr.Web detects the latter as Trojan.Scavenger.5).\r\nThe modifications themselves are presented in two variants:\r\na time stamp is added to the Cookie;\r\na routine for sending user data to the C2 server is added.\r\nThe attackers obtain mnemonic phrases from Phantom, Slush, and MetaMask crypto wallets. They also receive the\r\nauthorization Cookie and user-added passwords from the password managers Bitwarden and LastPass,\r\nrespectively.\r\nIn turn, Trojan.Scavenger.4 (profapi.dll) is copied to the directory containing the installed Exodus crypto wallet.\r\nThe trojan is launched automatically with this app, also by exploiting the DLL Search Order Hijacking\r\nvulnerability in it (the legitimate system library profapi.dll is located in the directory %WINDIR%\\System32, but\r\ndue to the vulnerability, the loading priority is given to the trojan file when the wallet is launched).\r\nAfter it starts up, Trojan.Scavenger.4 hooks the function v8::String::NewFromUtf8 from the V8 engine\r\nresponsible for working with JavaScript and WebAssembly. With its help, the malicious app can obtain various\r\nuser data. In the case of the Exodus program, the trojan searches for the JSON that has the key passphrase and\r\nreads its value. As a result, it gets the user’s mnemonic phrase that can be used to decrypt or generate a new\r\nprivate key for the victim’s crypto wallet. Next, the trojan locates the private key seed.seco from the crypto wallet,\r\nreads its, and sends it to the C2 server together with the mnemonic phrase it obtained earlier.\r\nChain of two loaders\r\nIn general, this chain is identical to the first one. However, instead of Trojan.Scavenger.1, the distributed archives\r\nwith the “patches” and “cheats” for games contain a modified version of Trojan.Scavenger.2. It is presented not\r\nas a DLL file but as a file with the extension .ASI (this is actually a dynamic library with a changed extension).\r\nThe archive also comes with installation instructions:\r\nCopy BOTH the Enhanced Nave Trainer folder and \"Enhanced Native Trainer.asi\" to the same folder as the scriptho\r\nAfter the user copies the file to the specified directory, it will automatically run when the target game is launched,\r\nas it will accept it as its own plugin. From this point on, the infection chain repeats the steps from the first variant.\r\nThe family’s common features\r\nMost of this family’s trojans have a number of common features. One of them is the standard procedure for\r\nverifying the running environment to detect a virtual machine or debug mode. If trojans detect signs that they are\r\nbeing launched in a virtual environment, they stop working.\r\nAnother common attribute of the family is the general algorithm for communicating with the C2 server. To\r\nconnect to it, trojans go through the procedure of creating an encryption key and verifying the encryption. This\r\ninvolves sending two requests. The first one is needed to receive part of the key that is used for encrypting some\r\nhttps://news.drweb.com/show/?i=15036\u0026lng=en\r\nPage 3 of 4\n\nparameters and data in certain requests. The second request is executed to check the key and contains some\r\nparameters, including a randomly generated string, the current time, and the encrypted time value. The C2 server\r\nresponds to this request with the string it received earlier. All consecutive requests have time parameters, and if\r\nthey are missing, the server will refuse to establish the connection.\r\nFor detailed technical descriptions of the malicious programs detected, please refer to the PDF version of the\r\nstudy or visit the Doctor Web virus library.\r\nMore about Trojan.Scavenger.1\r\nMore about Trojan.Scavenger.2\r\nMore about Trojan.Scavenger.3\r\nMore about Trojan.Scavenger.4\r\nMore about Trojan.Scavenger.5\r\nConclusion\r\nWe notified the developers whose software was exploited via the security flaws we detected, but they deemed the\r\nDLL Search Order Hijacking vulnerabilities as not requiring a fix. However, the protection against this type of\r\nattacks that we added to our Dr.Web anti-virus products successfully counteracted the exploitation of\r\nvulnerabilities in the affected browsers even before we learned about the Trojan.Scavenger malware family.\r\nBecause of that, these trojans did not pose a threat to our users. And as part of this study, we also added the\r\ncorresponding protection for the Exodus crypto wallet app.\r\nIndicators of compromise\r\nSource: https://news.drweb.com/show/?i=15036\u0026lng=en\r\nhttps://news.drweb.com/show/?i=15036\u0026lng=en\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://news.drweb.com/show/?i=15036\u0026lng=en" ], "report_names": [ "?i=15036\u0026lng=en" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434074, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef234c465545a072651ce55d13200f5601360f19.pdf", "text": "https://archive.orkl.eu/ef234c465545a072651ce55d13200f5601360f19.txt", "img": "https://archive.orkl.eu/ef234c465545a072651ce55d13200f5601360f19.jpg" } }