Security analysts from Howler Cell have documented a large-scale malware distribution campaign that weaponizes pirated games and cracked commercial software. At the core of this operation is a new loader dubbed RenEngine, embedded into modified launchers for games built on the Ren’Py engine. According to telemetry from Kaspersky, the first samples in this infection chain appeared in March 2025, ultimately delivering well-known information stealers Lumma, ACR Stealer and Vidar.
Pirated PC games as the primary RenEngine infection vector
The RenEngine campaign exploits a common user behavior: downloading “free” games and software from unofficial sources. A typical scenario begins when a user visits a popular gaming portal or a site posing as a crack repository, clicks a familiar “Download” button and is redirected through several intermediary pages to the Mega file-sharing service.
The victim then receives an archive that allegedly contains a game repack or a cracked version of a paid application (for example, a graphics editor). After extracting the archive and launching the “game,” the user sees a loading screen stuck at 100%. This appears to be a glitch, but in reality, it is the moment when the malicious execution chain is triggered.
Behind the scenes, Python scripts simulate the game interface, attempt to evade simple sandbox checks and simultaneously decrypt and deploy the malware components in the background.
Technical analysis of the RenEngine and HijackLoader infection chain
Abusing Ren’Py launchers, DLL hijacking and Ahnenblatt
The scripts unpack a ZIP archive into a temporary directory (typically .temp), dropping five files. Among them is a legitimate executable Ahnenblatt4.exe (a genealogy application), several dynamic link libraries (DLLs) and a modified cc32290mt.dll. The operation relies on DLL hijacking: when Ahnenblatt4.exe starts, it automatically loads the tampered DLL, which then hijacks control and initiates the first attack stage – the modular loader HijackLoader.
HijackLoader, first thoroughly described by researchers in 2023, decrypts shellcode from the file gayal.asp and patches the system library dbghelp.dll directly in memory. This “in-memory patching” technique lets attackers alter code without writing a detectable malicious file to disk, significantly complicating traditional antivirus detection.
In-memory patching and multi-stage payload delivery
Next, HijackLoader spawns an intermediate cmd.exe process in a suspended state and injects the modified dbghelp.dll code into it. The following stage is fetched from hap.eml, which is used to overwrite the code section of another Windows library, pla.dll, and transfer execution there. This multi-stage architecture fragments functionality across several components, making forensic analysis and behavior correlation more difficult.
The final payload – Lumma, ACR Stealer or Vidar – is written into a child explorer.exe process using the Windows Transactional NTFS (TxF) API. Data is supplied in fragments and in a scrambled order compared to the original file. Once the payload is reconstructed in the process address space, the transaction is rolled back and the temporary file is removed, leaving no conventional file artifact on disk.
The stealer is then injected into the trusted explorer.exe process via shared memory. Masquerading as a legitimate system process reduces the likelihood of detection by security tools that rely on basic process-whitelisting or user vigilance.
Stolen data, victim geography and criminal monetization
The primary objective of this campaign is theft of sensitive data at scale. Lumma, ACR Stealer and Vidar specialize in collecting browser credentials, cookies, crypto-wallet data, authentication tokens, saved passwords and other confidential information from infected systems.
These data sets – often sold as “logs” on underground markets – are used for account takeover, cryptocurrency theft, targeted phishing and further lateral attacks. According to Kaspersky’s telemetry, RenEngine infections have been observed most frequently in Russia, Brazil, Turkey, Spain and Germany. The campaign is opportunistic rather than targeted: any user actively seeking pirated games, cracked editors or key generators can become a victim.
Why game archives are an ideal cover for modern malware
Researchers highlight that game archive formats are rarely standardized and are often unique to a specific game or engine. This lack of standardization makes it difficult to implement universal automated scanning or integrity checks for such archives.
If a game engine – such as Ren’Py in this case – does not enforce strict integrity validation for its executable resources and scripts, any modified archive can be turned into a convenient container for hidden malware. Cybercriminals exploit this by cloning popular game pages, spinning up look-alike crack portals and creating dozens of short-lived “mirror” sites that all funnel users to poisoned downloads.
Reducing the risk of compromise in such scenarios is straightforward in principle but challenging in practice given user habits. Effective measures include avoiding pirated games and cracked software, relying on official stores and vendor websites, running up-to-date endpoint protection (antivirus or EDR) and regularly patching the operating system. Additional safeguards, such as blocking execution from temporary folders and archives, and paying attention to anomalies like endless loading screens or unexpected process restarts, further narrow the attack surface. The fewer “free” unofficial sources users depend on, the lower the chance of encountering complex infection chains like RenEngine.
