Sample

Scavenger is a Windows-focused malware chain delivered through a compromised NPM package (eslint-config-prettier and others). On install, a malicious install.js runs on Windows only, spawning rundll32.exe to execute a bundled DLL (node-gyp.dll, acting as the Scavenger loader).

The loader (Visual Studio C++ DLL, compiled the same day as distribution) launches its main logic in a new thread and performs heavy anti-analysis and evasion:
- Anti-VM via SMBIOS enumeration (GetSystemFirmwareTable / “RSMB”) looking for VM vendor strings.
- Tool/AV detection by checking for known hook/debug/sandbox DLLs.
- Environment checks (CPU count, console presence, marker directory) and intentional crash behavior on suspicion.
- Runtime API resolution using CRC32-hashed function names by walking the PEB module list.
- Hook identification by sanity-checking prologue bytes of selected APIs.
- Indirect syscalls / syscall stub reconstruction to bypass userland EDR hooks (notably to hide threads / query system info).

For C2, Scavenger uses libcurl and encrypts traffic with XXTEA, wrapping blobs in base64 and performing a simple integrity/echo check during early comms. A second stage (“Scavenger Stealer”) shares the same obfuscation and comms patterns and contains strings strongly associated with Chromium data locations, suggesting browser data theft. A sloppy variant includes a direct curl command and a leftover PDB path that reinforces the “Scavenger” naming and helps link the activity to a related BeamNG-distributed campaign.