Kaspersky Threat Research has revealed its analysis of RenEngine, a malware loader that has recently gained public attention.
Kaspersky identified RenEngine samples as early as March 2025, with its solutions already protecting users from the threat at that time.
Beyond the cracked games highlighted in recent reports, Kaspersky researchers discovered that attackers created dozens of websites distributing RenEngine through pirated software, including graphics editors.
This expands the known attack surface beyond the gaming community to anyone seeking unlicensed software.
Kaspersky has recorded incidents in Russia, Brazil, Turkey, Spain and Germany, among other countries. The distribution pattern indicates opportunistic attacks rather than targeted operations.
When Kaspersky first identified RenEngine, the loader was delivering the Lumma stealer. Current attacks distribute ACR Stealer as the final payload, and Vidar stealer has also been observed in some infection chains.
The campaign exploits modified versions of games built on the Ren’Py visual novel engine. When users launch infected installers, a fake loading screen appears while malicious scripts execute in the background. The scripts include sandbox detection capabilities and decrypt a payload that initiates a multi-stage infection chain using HijackLoader, a modular malware delivery tool.
“This threat extends beyond pirated games — attackers are using the same technique to distribute malware through cracked productivity software, which broadens the potential victim pool significantly,” says Pavel Sinenko, lead malware analyst at Kaspersky Threat Research.
“Game archive formats vary by engine and title. If an engine doesn’t check the integrity of its resources, attackers can embed malware that executes the moment you click play.”