ISLAMABAD: Cybersecurity firm Kaspersky has identified a malware distribution campaign known as RenEngine that spreads through pirated games and unlicensed software, potentially exposing users to data theft and financial fraud.
Kaspersky Threat Research said it first detected RenEngine samples in March 2025. The loader has since been linked to multiple infostealer strains, broadening the scope of affected users beyond gamers to individuals downloading cracked productivity tools.
According to the company, attackers created dozens of websites offering infected installers for pirated applications, including graphics editing software such as CorelDRAW. The distribution pattern suggests opportunistic targeting across multiple countries rather than a specific geographic focus.
Initially, RenEngine was observed delivering Lumma stealer. More recent infection chains have deployed ACR Stealer, while Vidar stealer has also appeared in certain cases.
Infostealers are designed to extract sensitive information from compromised systems. This can include passwords, credit card details, cryptocurrency wallet credentials and email logins, which may be used for identity theft or sold on underground marketplaces.
Infection technique
Kaspersky researchers said the campaign exploits modified games built on the Ren’Py visual novel engine. When users launch infected files, a fake loading screen appears while malicious scripts execute in the background.
The malware incorporates sandbox detection mechanisms and decrypts additional payloads, initiating a multi-stage infection process through HijackLoader, a modular malware delivery tool.
Kaspersky advised users to obtain software only from official sources and to keep security systems updated to reduce exposure to such threats.
