Cracked game installers are again being used as a delivery channel for credential theft, but the latest wave adds an unusual twist: the malicious code hides behind a Ren’Py game launcher.
The loader, now tracked as RenEngine, arrives bundled with game repacks and mods that look normal and even run as expected, while quietly preparing the next stage of the attack chain.
The campaign has been active since at least April 2025 and remains ongoing, reaching an estimated 400,000 victims worldwide.
Telemetry reviewed by the researchers suggests about 5,000 new hits per day, with the highest concentrations in India, the United States, and Brazil.
This scale matters because the initial lure relies on social trust inside piracy communities rather than a software vulnerability, making it hard to stop with patching alone.
Cyderes researchers noted the malware after spotting malicious logic embedded in what looked like a legitimate Ren’Py-based launcher.
In the same cases, they also analyzed a fresh HijackLoader variant that brings added anti‑analysis modules, including checks for GPUs, hypervisor names, and VM-linked MAC addresses.
Together, RenEngine and HijackLoader form a dual-loader setup that helps the operators swap payloads quickly as defenses change.
A typical run starts when a user executes the pirated installer, then RenEngine decrypts and launches the second stage.
.webp)
HijackLoader is then introduced through DLL side-loading and module stomping, and the final payload observed in this chain is ACR Stealer.
ACR Stealer is built to collect browser passwords and cookies, crypto wallet data, and other system details, then send it to attacker infrastructure. Some chains have also delivered other stealers, such as Vidar.
Infection mechanism inside Ren’Py
Infection begins in the game folder, where Instaler.exe is a real Ren’Py launcher but is abused to run a compiled script from archive.rpa.
The build strips plain .rpy files and keeps only .rpyc, reducing visibility during scans.
.webp)
Next, RenEngine reads a local .key file, Base64-decodes it into JSON, and uses the password value to XOR-decrypt an embedded archive before running the next executable.
.webp)
When sandbox checks are enabled, the loader scores the environment and exits silently if it believes it is running in a virtual machine.
For defense, treat piracy installers and mods as high risk and block them where possible.
Watch for Ren’Py launchers unpacking RPA content, Base64/XOR staging, and aggressive VM checks, then correlate with suspicious DLL side-loading and sudden credential theft traffic across endpoints today.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
