Trojan.Scavenger Disguised as Game Cheats and Mods Steals Crypto Wallets and Passwords

Red Dog Security

2 min read
Trojan.Scavenger Disguised as Game Cheats and Mods Steals Crypto Wallets and Passwords

Dr. Web researchers have discovered a stealthy new malware family, Trojan.Scavenger, designed to steal data from cryptocurrency wallets (MetaMask, Phantom, Slush, Exodus) and password managers (Bitwarden, LastPass). The malware targets Windows users and abuses a known technique: DLL Search Order Hijacking, where malicious files are loaded in place of legitimate ones.

The campaign is widespread and actively distributed via pirated games, cheat engines, and unofficial mods—often targeting players on torrent sites and niche gaming forums.

How the Attack Works

1. Initial Infection – Trojan.Scavenger.1

The infection chain starts with the user downloading a fake mod, patch, or performance enhancer—often bundled in ZIP archives alongside forged installation instructions.

Example: A malicious ZIP file for "Oblivion Remastered Performance Patch" includes a rogue umpdc.dll, tricking users into placing it in the game folder.

(Note: The legitimate umpdc.dll is a Windows system file. Scavenger hijacks it by abusing DLL load order behavior.)

Once executed, the malware silently downloads Trojan.Scavenger.2 (tmp6FC15.dll) from a remote command-and-control (C2) server.

2. Browser Exploitation – Trojan.Scavenger.3

This second-stage payload poses as version.dll inside Chromium-based browsers like Chrome, Edge, Yandex, and Opera. It disables key browser security mechanisms:

  • Turns off sandboxing (removes JavaScript execution isolation)
  • Bypasses extension verification by patching the CrashForExceptionInNonABICompliantCodeRange function
  • Replaces extensions like MetaMask, Phantom, Bitwarden, and LastPass with malicious clones stored in %TEMP%/ServiceWorkerCache

Once active, the malware exfiltrates:

  • Crypto wallet private keys and seed phrases
  • Authentication cookies from Bitwarden
  • Saved passwords from LastPass

3. Targeted Attack on Exodus Wallet – Trojan.Scavenger.4

For users with Exodus installed, the malware plants a rogue profapi.dll in the wallet’s directory. It intercepts V8 JavaScript engine functions to monitor JSON-based data exchange.

It specifically looks for:

  • Mnemonic recovery phrases
  • Seed files (seed.seco)
  • Private keys and wallet metadata

Key Findings

Two infection chains:

  • A 3-stage chain leveraging multiple DLLs
  • A lighter 2-stage variant using .ASI plugin files (common in game mods)

Evasion tactics:

  • Detects virtual machines and debuggers; quits execution if found
  • Uses encrypted C2 channels and time-based tokens to avoid replay attacks

Targeted browsers:

  • Chrome, Edge, Yandex, Opera

Exploited applications:

  • Exodus, MetaMask, Phantom, Bitwarden, LastPass

Protection Recommendations

  • Avoid pirated content: Download only from official game stores and developer websites
  • Verify DLL file locations: Malicious DLLs often hide in local app folders—not System32
  • Watch your extensions: If a browser extension behaves strangely, remove it immediately
  • Use hardware wallets: These are immune to DLL hijacking and provide better isolation

Expert Commentary

Trojan.Scavenger shows how attackers abuse legitimate software mechanisms. Users downloading ‘game patches’ may unknowingly hand over crypto keys and passwords,”
said Dr. Web’s malware analysis team in their advisory.

Current Status

  • Active attacks ongoing
  • Dr. Web antivirus detects and blocks known variants of Trojan.Scavenger
  • Indicators of Compromise (IOCs) and file hashes have been shared with threat intelligence platforms

Read more