Kaspersky flags RenEngine loader spread via pirated software

Editor’s note: In the ongoing battle against malware, RenEngine’s reach underscores how attackers exploit trusted software channels to broaden their victim base. Today’s briefing from Kaspersky Threat Research highlights a multi-stage infection that pivots beyond gaming into widely used cracked productivity tools. The findings emphasize the importance of verifying software sources and maintaining updated defenses across personal and corporate environments. As cyber threats increasingly blend with legitimate workflows, readers should review security practices, stay vigilant about unofficial installers, and consider how threat actors opportunistically adapt to new distribution methods. This update offers context for executives, IT teams, and security professionals navigating a rapidly evolving threat landscape.

Key points

• RenEngine loader is distributed via dozens of pirated software sites, not just cracked games.
• Final payloads include Lumma, ACR Stealer, and Vidar in various infection chains.
• The distribution pattern is opportunistic and regional rather than targeted.
• The campaign uses Ren’Py-based game installers with fake loading screens to deploy malware

Why this matters

The expansion from gaming to cracked productivity software widens the potential victim pool and raises risk for individuals and organizations. Attackers use multi-stage delivery, anti-analysis checks, and broad distribution to bypass defenses. Organizations should reinforce software provenance checks, user education, and behavior-based detection to identify malicious activity masquerading as legitimate software.

What to watch next

• Watch for new distribution sites or bundles carrying RenEngine via cracked software.
• Monitor for updates from security vendors on HijackLoader-based campaigns across multiple payloads.
• Track any new payload families linked to RenEngine or related loaders.

Disclosure: The content below is a press release provided by the company/PR representative. It is published for informational purposes.

Kaspersky identifies RenEngine loader distributed through pirated games and software

Kaspersky identifies RenEngine loader distributed through pirated games and software

February 23, 2026

Kaspersky Threat Research has revealed its analysis of RenEngine, a malware loader that has recently gained public attention. Kaspersky identified RenEngine samples as early as March 2025, with its solutions already protecting users from the threat at that time.

Beyond the cracked games highlighted in recent reports, Kaspersky researchers discovered that attackers created dozens of websites distributing RenEngine through pirated software, including graphics editors like CorelDRAW. This expands the known attack surface beyond the gaming community to anyone seeking unlicensed software.

Kaspersky has recorded incidents in Russia, Brazil, Turkey, Spain and Germany, among other countries. The distribution pattern indicates opportunistic attacks rather than targeted operations.

When Kaspersky first identified RenEngine, the loader was delivering the Lumma stealer. Current attacks distribute ACR Stealer as the final payload, and Vidar stealer has also been observed in some infection chains.

The campaign exploits modified versions of games built on the Ren’Py visual novel engine. When users launch infected installers, a fake loading screen appears while malicious scripts execute in the background. The scripts include sandbox detection capabilities and decrypt a payload that initiates a multi-stage infection chain using HijackLoader, a modular malware delivery tool.

“This threat extends beyond pirated games — attackers are using the same technique to distribute malware through cracked productivity software, which broadens the potential victim pool significantly.”

— Pavel Sinenko, lead malware analyst at Kaspersky Threat Research

“Game archive formats vary by engine and title. If an engine doesn’t check the integrity of its resources, attackers can embed malware that executes the moment you click play.”

Kaspersky solutions detect RenEngine as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen. HijackLoader is detected as Trojan.Win32.Penguish and Trojan.Win32.DllHijacker.

To stay protected, Kaspersky recommends:

• Download games and software only from official sources. Pirated content remains one of the most common malware delivery methods.
• Use a reliable security solution. Kaspersky Premium protects against threats like RenEngine through its Behavior Detection component, which identifies malicious activity even when malware is disguised as legitimate software.
• Keep your operating system and applications updated to ensure known vulnerabilities are patched.
• Be skeptical of “free” offers. If a paid game or software is available for free download on an unofficial site, the cost is likely your security.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company’s comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and nearly 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.