The malware family, RenEngine Loader, after discovering malicious logic embedded within what appears to be a legitimate Ren’Py-based game launcher.
Active since April 2025, the operation has already compromised over 400,000 victims globally, with a localized focus on India, the United States, and Brazil.
The campaign currently infects approximately 5,000 new machines daily by hiding malicious code within pirated versions of popular games like Far Cry, FIFA, and Assassin’s Creed.
The attack begins when users download “cracked” games or mods from piracy websites. The threat actors have developed a novel malware family dubbed RenEngine Loader.
Instead of using a standard executable, the attackers hide their malicious logic inside a legitimate game launcher based on the Ren’Py visual novel engine.
The Howler Cell Threat Research Team has uncovered an active and highly advanced stealer campaign that has been operating since at least April 2025 and remains ongoing.
The malware is embedded within a Ren’Py archive file (archive.rpa). When the user launches the game (Instaler.exe), the legitimate engine unwittingly executes a compiled Python script (script.rpyc) hidden inside the archive.
Multi-Stage Execution
This “living off the land” technique allows the malware to masquerade as normal application behavior, significantly reducing detection rates by traditional antivirus solutions.
Stage 1: RenEngine Loader and Sandbox Evasion
Once active, RenEngine Loader performs a rigorous “sandbox check” to determine if it is running on a real victim’s machine or in a security researcher’s lab. It calculates a score based on system attributes, including:
- RAM and Disk Size: Checks for realistic hardware specs (e.g., >4GB RAM).
- Mouse Activity: Verifies user interaction.
- Virtualization Artifacts: Scans for drivers or registry keys associated with VMware, VirtualBox, or QEMU.
If the system “score” is too low (indicating a likely sandbox), the malware terminates silently. If the environment is deemed safe, it decrypts the next stage using Base64 and XOR encoding.
Stage 2: The Evolved HijackLoader
RenEngine hands execution over to a new, highly modular variant of HijackLoader. This stage utilizes advanced evasion techniques, including DLL side-loading and module stomping, to blend into trusted system processes.
This variant is equipped with 38 distinct modules, including new capabilities explicitly designed to detect GPU virtualization (ANTIVMGPU) and hypervisor specificities. In its final step, HijackLoader uses Process Doppelgänging a sophisticated code injection technique to hollow out legitimate processes and inject the final payload.
Final Payload: ACR Stealer
Further clicking on Download Setup button of this page, it redirects us to the MediaFire download page containing the zip of pirated setup (which contains RenEngine Loader),the complete initial payload drop chain.
The ultimate goal of this complex chain is the deployment of ACR Stealer (though variants like Vidar and Rhadamanthys have also been observed). This information stealer exfiltrates sensitive data to attacker-controlled servers, including:
- Browser passwords and cookies.
- Cryptocurrency wallet data.
- System information and clipboard contents.
This campaign represents a significant evolution in malware delivery. By combining the abuse of legitimate gaming engines with a multi-stage, modular loader capable of rigorous environment checking, threat actors have created a persistent and stealthy infection chain that effectively bypasses modern security controls.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
