Kaspersky identifies RenEngine loader distributed through pirated games and software

Kaspersky Threat Research has revealed its analysis of RenEngine, a malware loader that has recently gained public attention. Kaspersky identified RenEngine samples as early as March 2025, with its solutions already protecting users from the threat at that time. 

Beyond the cracked games highlighted in recent reports, Kaspersky researchers discovered that attackers created dozens of websites distributing RenEngine through pirated software, including graphics editors like CorelDRAW. This expands the known attack surface beyond the gaming community to anyone seeking unlicensed software.

Kaspersky has recorded incidents in Russia, Brazil, Turkey, Spain and Germany, among other countries. The distribution pattern indicates opportunistic attacks rather than targeted operations.

When Kaspersky first identified RenEngine, the loader was delivering the Lumma stealer. Current attacks distribute ACR Stealer as the final payload, and Vidar stealer has also been observed in some infection chains.

The campaign exploits modified versions of games built on the Ren'Py visual novel engine. When users launch infected installers, a fake loading screen appears while malicious scripts execute in the background. The scripts include sandbox detection capabilities and decrypt a payload that initiates a multi-stage infection chain using HijackLoader, a modular malware delivery tool.

"This threat extends beyond pirated games — attackers are using the same technique to distribute malware through cracked productivity software, which broadens the potential victim pool significantly," said Pavel Sinenko, lead malware analyst at Kaspersky Threat Research. "Game archive formats vary by engine and title. If an engine doesn't check the integrity of its resources, attackers can embed malware that executes the moment you click play."

Kaspersky solutions detect RenEngine as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen. HijackLoader is detected as Trojan.Win32.Penguish and Trojan.Win32.DllHijacker.

To stay protected, Kaspersky recommends:

•    Download games and software only from official sources. Pirated content remains one of the most common malware delivery methods.

•    Use a reliable security solution. Kaspersky Premium protects against threats like RenEngine through its Behavior Detection component, which identifies malicious activity even when malware is disguised as legitimate software.

•    Keep your operating system and applications updated to ensure known vulnerabilities are patched.

•    Be skeptical of "free" offers. If a paid game or software is available for free download on an unofficial site, the cost is likely your security.