- Cheats and mods are now frontlines for cybercrime targeting gamers' wallets and private data
- Verified crypto wallets like MetaMask and Exodus are being drained through browser injection
- Trojan.Scavenger abuses overlooked flaws to disable browser safety and manipulate trusted extensions
Gamers seeking performance enhancements or special abilities through third-party patches and mods may be unwittingly exposing themselves to sophisticated malware, experts have warned.
Recent findings from Dr.Web revealed a malware family known as “Trojan.Scavenger” which targets Windows users by disguising itself as cheats or enhancements for popular games.
This seemingly harmless mod can ultimately compromise crypto wallets, password managers, and web browsers, posing serious risks to user privacy and digital assets.
When cheats become covert threats
The infection chain begins when users download ZIP archives claiming to improve performance in games including the likes of Grand Theft Auto 5 or Oblivion Remastered.
These archives contain modified dynamic libraries, sometimes renamed with extensions like .ASI to resemble legitimate plugin formats.
When the user follows the installation instructions, the malicious library is placed in the same folder as the target game. If the game does not properly validate its libraries, the trojan loads automatically at startup.
In some cases, flaws in library search priorities are essential to the malware’s success, allowing it to hijack execution within the host application.
Once loaded, the malware establishes contact with a command-and-control server using encrypted communication. This process includes verifying encryption keys and checking timestamp consistency, which is meant to evade analysis and block antivirus detection.
The malware doesn’t stop with the initial payload. In more complex infections, it deploys additional trojans that embed themselves in Chromium-based browsers like Chrome, Edge, Opera, and Yandex.
These trojans interfere with browser sandboxing, disable extension verification, and replace legitimate extensions with modified versions.
Crypto wallets such as MetaMask and Phantom, as well as password managers like Bitwarden and LastPass, are among the affected applications.
Modified extensions collect mnemonic phrases, private keys, and stored passwords, which are then transmitted to the attackers' servers.
Exodus, a popular crypto wallet, is also targeted using similar techniques.
By exploiting library loading behavior, the malware extracts sensitive JSON entries, including passphrases and seed data required for generating private keys.
How to stay safe
To stay safe, always apply caution when accessing unofficial content.
Avoid downloading mods or cheats from sketchy forums or unverified sources, especially those shared on torrent platforms or through poorly moderated social media channels.
Antivirus software, while helpful, must be regularly updated to stay effective against evolving threats.
Android antivirus tools may protect mobile platforms, but on desktop systems, more capable solutions are necessary.
Good social media management also helps reduce exposure to malicious content. Limiting interaction with communities known for spreading cracked software or shady patches can lower the risk.
Lastly, checking file paths, verifying digital signatures when available, and restricting admin privileges on daily-use accounts can make it harder for malware to execute successfully.
You might also like
