Skip to main content

Kaspersky flags RenEngine loader spread via pirated software



Editor’s note: In the ongoing battle against malware, RenEngine's reach underscores how attackers exploit trusted software channels to broaden their victim base. Today's briefing from Kaspersky Threat Research highlights a multi-stage infection that pivots beyond gaming into widely used cracked productivity tools. The findings emphasize the importance of verifying software sources and maintaining updated defenses across personal and corporate environments. As cyber threats increasingly blend with legitimate workflows, readers should review security practices, stay vigilant about unofficial installers, and consider how threat actors opportunistically adapt to new distribution methods. This update offers context for executives, IT teams, and security professionals navigating a rapidly evolving threat landscape.

Key points



  • RenEngine loader is distributed via dozens of pirated software sites, not just cracked games.

  • Final payloads include Lumma, ACR Stealer, and Vidar in various infection chains.

  • The distribution pattern is opportunistic and regional rather than targeted.

  • The campaign uses Ren'Py-based game installers with fake loading screens to deploy malware


Why this matters


The expansion from gaming to cracked productivity software widens the potential victim pool and raises risk for individuals and organizations. Attackers use multi-stage delivery, anti-analysis checks, and broad distribution to bypass defenses. Organizations should reinforce software provenance checks, user education, and behavior-based detection to identify malicious activity masquerading as legitimate software.

What to watch next



  • Watch for new distribution sites or bundles carrying RenEngine via cracked software.

  • Monitor for updates from security vendors on HijackLoader-based campaigns across multiple payloads.

  • Track any new payload families linked to RenEngine or related loaders.


Disclosure: The content below is a press release provided by the company/PR representative. It is published for informational purposes.

Kaspersky identifies RenEngine loader distributed through pirated games and software


Kaspersky identifies RenEngine loader distributed through pirated games and software

February 23, 2026

Kaspersky Threat Research has revealed its analysis of RenEngine, a malware loader that has recently gained public attention. Kaspersky identified RenEngine samples as early as March 2025, with its solutions already protecting users from the threat at that time.

Beyond the cracked games highlighted in recent reports, Kaspersky researchers discovered that attackers created dozens of websites distributing RenEngine through pirated software, including graphics editors like CorelDRAW. This expands the known attack surface beyond the gaming community to anyone seeking unlicensed software.

Kaspersky has recorded incidents in Russia, Brazil, Turkey, Spain and Germany, among other countries. The distribution pattern indicates opportunistic attacks rather than targeted operations.

When Kaspersky first identified RenEngine, the loader was delivering the Lumma stealer. Current attacks distribute ACR Stealer as the final payload, and Vidar stealer has also been observed in some infection chains.

The campaign exploits modified versions of games built on the Ren'Py visual novel engine. When users launch infected installers, a fake loading screen appears while malicious scripts execute in the background. The scripts include sandbox detection capabilities and decrypt a payload that initiates a multi-stage infection chain using HijackLoader, a modular malware delivery tool.
"This threat extends beyond pirated games — attackers are using the same technique to distribute malware through cracked productivity software, which broadens the potential victim pool significantly."

— Pavel Sinenko, lead malware analyst at Kaspersky Threat Research

"Game archive formats vary by engine and title. If an engine doesn't check the integrity of its resources, attackers can embed malware that executes the moment you click play."

Kaspersky solutions detect RenEngine as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen. HijackLoader is detected as Trojan.Win32.Penguish and Trojan.Win32.DllHijacker.

To stay protected, Kaspersky recommends:

  • Download games and software only from official sources. Pirated content remains one of the most common malware delivery methods.

  • Use a reliable security solution. Kaspersky Premium protects against threats like RenEngine through its Behavior Detection component, which identifies malicious activity even when malware is disguised as legitimate software.

  • Keep your operating system and applications updated to ensure known vulnerabilities are patched.

  • Be skeptical of "free" offers. If a paid game or software is available for free download on an unofficial site, the cost is likely your security.


About Kaspersky


Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company’s comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and nearly 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

https://www.cryptobreaking.com/kaspersky-flags-renengine-loader-spread/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=Kaspersky%20flags%20RenEngine%20loader%20spread%20via%20pirated%20software%20
Labels:

Comments

Post a Comment

Popular posts from this blog

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...
Post a Comment
Read more

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...
Post a Comment
Read more

Analyst: Bitcoin can reclaim $100K without a new narrative

Bitcoin has stalled below the $100,000 threshold, marking a run of almost five months without a breakout above that level. As of the latest market close, BTC hovered around $78,250 after a February nadir of about $60,000, underscoring a slow, grinding recovery amid broader market dynamics. In parallel, tech markets—especially AI-focused equities—have captured the spotlight, with investors rotating capital away from crypto in search of different risk-reward profiles. Nvidia (NVDA), the leading AI stock by market cap, has gained about 5.08% since the start of the year, while Bitcoin has faced a roughly 10% dip over the same period, illustrating a diverging performance within risk assets. MN Trading Capital founder Michael van de Poppe suggested that Bitcoin may not require a fresh narrative to push back above $100,000. In a post on X, he asked what narrative would drive BTC to the milestone and concluded that “price moves upwards, and the narrative will create itself.” He continued that ...
Post a Comment
Read more