Kaspersky Threat Research has uncovered a widespread malware campaign involving a loader known as “RenEngine,” which is being distributed through pirated games and cracked software across multiple countries.
According to Kaspersky, samples of RenEngine were first identified in March 2025, with the company’s security solutions already providing protection at that time. Recent findings reveal that the campaign extends beyond previously reported cracked games, with attackers creating dozens of websites to distribute the malware via unlicensed software, including popular graphics editing tools such as CorelDRAW.
Researchers say the distribution pattern points to opportunistic attacks rather than highly targeted operations. Initially, RenEngine was observed delivering the Lumma stealer. However, current infection chains primarily deploy ACR Stealer as the final payload, while Vidar stealer has also appeared in certain cases.
Infostealers are a class of malware designed to harvest sensitive information from infected devices. Stolen data may include passwords, credit card numbers, cryptocurrency wallet keys, email credentials, and system information, which attackers can exploit for identity theft, financial fraud, account takeover, or sale on underground marketplaces.
The campaign exploits modified versions of games developed using the Ren’Py visual novel engine. When users run infected installers, a fake loading screen appears while malicious scripts execute in the background. These scripts feature sandbox detection techniques and decrypt hidden payloads that initiate a multi-stage infection process through HijackLoader, a modular malware delivery tool.
“This threat extends beyond pirated games — attackers are using the same technique to distribute malware through cracked productivity software, significantly broadening the potential victim pool,” said Pavel Sinenko, lead malware analyst at Kaspersky Threat Research. He warned that if a game engine does not verify the integrity of its resources, attackers can embed malicious code that activates as soon as a user launches the game.
Kaspersky products detect RenEngine under the classifications Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen, while HijackLoader is flagged as Trojan.Win32.Penguish and Trojan.Win32.DllHijacker.
The company advises users to download games and software exclusively from official sources, noting that pirated content remains one of the most common methods for malware distribution. It also recommends using trusted security solutions such as Kaspersky Premium, keeping operating systems and applications updated, and exercising caution toward “free” offers from unofficial websites.
Security experts warn that when paid software is offered for free through unauthorized channels, the real cost may be users’ personal data and digital security.
