ISLAMABAD: Kaspersky Threat Research has disclosed details of a malware distribution campaign known as RenEngine, which spreads through pirated games and unlicensed software. The cybersecurity firm said it first detected samples of the loader in March 2025 and had already implemented protections for users at that time.
According to Kaspersky, the RenEngine campaign extends beyond cracked video games to include pirated productivity tools, such as graphics editing software. Researchers identified dozens of websites distributing infected installers, widening the potential victim base to users seeking unofficial copies of paid applications.
Kaspersky reported incidents across multiple countries, describing the activity pattern as opportunistic rather than targeted. When first observed, RenEngine delivered the Lumma stealer. Recent infection chains have deployed ACR Stealer, while Vidar stealer has also been identified in some cases.
Infostealers are a category of malware designed to extract sensitive data from compromised devices. Stolen information may include login credentials, credit card details, cryptocurrency wallet keys and system data. Such data is often used for account takeover, financial fraud or resale on underground forums.
How the malware spreads
Researchers said attackers modified games built on the Ren’Py visual novel engine. When users launched infected installers, a fake loading screen appeared while malicious scripts executed in the background.
The malware reportedly includes sandbox detection features and decrypts a secondary payload that initiates a multi-stage infection process. This process involves HijackLoader, a modular tool used to deliver additional malicious components.
Pavel Sinenko, lead malware analyst at Kaspersky Threat Research, said the campaign demonstrates how attackers exploit weaknesses in software integrity checks. He noted that if an engine does not verify its resources, malicious code can be embedded and executed when a user starts the application.
Detection and prevention
Kaspersky said its security solutions detect RenEngine as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen. HijackLoader is identified as Trojan.Win32.Penguish and Trojan.Win32.DllHijacker within its systems.
The company advised users to download games and software only from official sources, noting that pirated content remains a common method for malware distribution. It also recommended keeping operating systems and applications updated and using reliable security software to detect suspicious activity.
Cybersecurity experts continue to warn that free versions of paid software offered through unofficial channels may carry hidden risks, including data theft and system compromise.
Today's E-Paper