Cybercriminals are increasingly leveraging compromised game launchers and cracked software to distribute malware, with a new campaign identified by Securelist analysts highlighting the sophisticated techniques at play. This trend, amplified by the widespread desire for free access to premium content, now sees malware disguised within legitimate-looking game components, such as those built using the Ren’Py visual novel engine. Victims are often unknowingly pulled through multiple redirection websites before downloading an infected file, which then operates under the guise of a normal loading screen.
The identified malware, dubbed RenEngine, has been active since March 2025. Initially used to distribute Lumma stealer, a password and cryptocurrency wallet siphoning tool, recent incidents reveal an evolution in its capabilities. Attackers have updated their arsenal to deliver ACR Stealer, indicating an adaptable and persistent threat. The campaign’s reach is global, with active incidents reported across Russia, Brazil, and Spain, posing a significant challenge to personal cybersecurity and standard security solutions.
The Rise of RenEngine and Evolving Threat Landscape
The distribution of malicious software through pirated games and cracked applications continues to be a highly effective strategy for cybercriminals. By exploiting the widespread desire for free access to premium content, attackers can easily bypass initial user suspicions and deliver complex threats directly to personal devices. A newly identified campaign exemplifies this persistent trend, utilizing a sophisticated loader that hides within modified game launchers to execute a multi-stage infection process without alerting the unsuspecting victim.
This emerging threat leverages the structure of the Ren’Py visual novel engine, making the malicious files appear as legitimate components of the game. Victims who attempt to download these compromised packages are often redirected through multiple websites before finally reaching a file-hosting service. Once the user executes the downloaded file, the malware initiates its operation under the guise of a standard loading screen, effectively masking the background malicious activity that is taking place. Securelist analysts identified the malware as RenEngine, a distinct loader family that has been circulating since March 2025.
Although earlier iterations were primarily used to distribute the Lumma stealer, recent incidents reveal that the attackers have updated their toolkit to deliver ACR Stealer. This evolution demonstrates the adaptability of the threat actors, who have also expanded their targets to include users searching for pirated graphics software and other productivity tools. These stealers are designed to extract passwords, cryptocurrency wallets, and session cookies from the victim’s machine. The impact of this campaign is significant, with widespread active incidents recorded across multiple countries including Russia, Brazil, and Spain.
The use of a modular loader allows the attackers to customize the infection chain, making it more difficult for standard security solutions to detect and block the initial compromise before damage occurs. This creates a major challenge for personal security, alongside the growing threat of AI-driven phishing attacks and QR code quishing in 2025 spam and phishing reports.
Infection Mechanism and Evasion Tactics
The technical sophistication of RenEngine lies in its ability to avoid detection during the initial execution phase. The attack begins with Python scripts that simulate a game loading process while simultaneously performing critical environment checks. These scripts utilize a specific function called is_sandboxed to determine if the code is being analyzed by security researchers. If the system is deemed safe, the malware proceeds to use xor_decrypt_file to unpack the next stage of the payload from an encrypted archive.
Following the initial decryption, the malware employs a technique known as DLL hijacking to load the HijackLoader module. By overwriting the memory of a legitimate system library, specifically dbghelp.dll, the attackers can inject malicious code into a trusted process. This method allows the loader to decrypt and launch the final payload, such as Lumma or ACR Stealer, within the memory space of a system process like explorer.exe. This seamless injection ensures that the malware can operate persistently on the infected device, harvesting highly sensitive user data while remaining hidden from view.
The ongoing evolution of malware delivery methods, such as the RenEngine loader, underscores the need for continuous vigilance and updated security practices. As attackers refine their techniques, users are advised to exercise extreme caution when downloading software from unofficial sources, even when presented with seemingly legitimate game launchers or application installers. The focus on stealing sensitive data like passwords and cryptocurrency wallets suggests that financial gain remains a primary motivator for these campaigns. Future developments may involve further integration with AI for more convincing social engineering tactics or more advanced evasion techniques.