The surge in AI-driven phishing attacks and the use of QR codes for malicious purposes have marked 2025 as a challenging year for cybersecurity experts. Cybercriminals are increasingly exploiting pirated software to distribute malware, capitalizing on users’ desire for free premium content.
Exploiting Pirated Software
Cyber attackers have refined their tactics by embedding sophisticated loaders within modified game launchers, bypassing initial user suspicion. This approach allows them to execute complex infection processes without alerting victims. The Ren’Py visual novel engine structure is often leveraged, making malicious files appear as legitimate game components.
Users attempting to download these compromised files are redirected through multiple sites, eventually reaching a hosting service. Once executed, the malware masks its activity behind a typical loading screen, deceiving the user while it operates.
Emergence of the RenEngine Malware
Securelist analysts have identified a new malware family, RenEngine, circulating since March 2025. Initially used to distribute the Lumma stealer, recent updates now include the ACR Stealer, showcasing the attackers’ adaptability. These tools are designed to extract sensitive information such as passwords and cryptocurrency wallets.
The campaign has had a significant impact globally, notably in Russia, Brazil, and Spain. The modular nature of the loader complicates detection, posing a substantial challenge for standard security systems.
Advanced Evasion Techniques
RenEngine employs advanced tactics to evade detection, starting with Python scripts that mimic game loading processes while conducting environment checks. The scripts use the is_sandboxed function to identify security research environments. If deemed safe, the malware unpacks its payload using xor_decrypt_file from an encrypted archive.
Following decryption, the malware uses DLL hijacking to load the HijackLoader module. By overwriting legitimate system libraries, attackers inject harmful code into trusted processes, ensuring persistent and covert operation on infected devices.
This sophisticated approach underscores the evolving threat landscape and emphasizes the need for robust cybersecurity measures. As these threats continue to develop, staying informed and implementing comprehensive security practices is imperative for individuals and organizations alike.
