Cracked game installers are once again at the forefront of delivering malicious software, but recent developments have introduced a new layer of complexity. The RenEngine loader, concealed within a Ren’Py game launcher, is now being used to steal user credentials. This malicious software appears in game repacks and mods, functioning normally while discreetly setting up subsequent attack phases.
Global Reach and Impact
Since its emergence in April 2025, the RenEngine campaign has reportedly affected approximately 400,000 users globally. Researchers have documented about 5,000 new infections daily, with significant impacts observed in countries like India, the United States, and Brazil. This widespread reach underscores the challenge of tackling such threats, as they exploit social trust within piracy communities rather than relying on software vulnerabilities.
Technical Insights and Dual-Loader Strategy
Cyderes researchers identified the threat while analyzing a Ren’Py-based launcher embedded with malicious logic. They also examined a new variant of HijackLoader, which includes enhanced anti-analysis modules designed to evade detection by checking for GPUs, hypervisors, and VM-linked MAC addresses. This dual-loader arrangement allows for rapid payload swapping as security measures evolve.
The attack begins when a user runs a pirated installer. RenEngine then decrypts and initiates a second stage, leading to the deployment of HijackLoader via DLL side-loading. The final payload, known as ACR Stealer, is designed to capture browser passwords, cookies, cryptocurrency wallet information, and system details, which are then transferred to the attackers’ servers. Other stealers, like Vidar, have also been delivered through this chain.
Infection Mechanism and Defensive Measures
The infection process starts in the game folder, where a legitimate Ren’Py launcher is manipulated to execute a compiled script from archive.rpa files. By excluding plain .rpy files in favor of .rpyc files, the setup reduces detection during scans. RenEngine decodes and decrypts embedded files to run additional executables, while performing environment checks to avoid execution in virtual machines.
To protect against such threats, it is advisable to consider piracy-related installers and mods as high-risk and restrict their usage. Monitoring for Ren’Py launchers that unpack RPA content, as well as aggressive VM checks and suspicious DLL side-loading, can help mitigate the risk of credential theft and data breaches.
Stay informed on the latest cybersecurity developments by following updates on platforms like Google News, LinkedIn, and X, and consider setting CSN as a preferred source for reliable information.
