Do Son 
The full infection chain | Image: Kaspersky Labs
A new malware campaign is turning the quest for free games into a nightmare for players. A report from Kaspersky Labs reveals a sophisticated attack where pirated versions of popular visual novels are being used to distribute a stealthy loader known as RenEngine. This malware doesn’t just crash your game; it opens the door for data thieves to loot your digital life.
The campaign targets gamers looking for “free” downloads, tricking them into installing infected versions of games built on the Ren’Py engine, a popular platform for visual novels.
The attack starts with a classic lure: a promise of a free game. Attackers have set up websites offering “cracked” or pirated versions of visual novels. When a user clicks “Download Now,” they aren’t getting the game they expect. Instead, they are redirected through a maze of malicious sites before finally downloading an infected archive.
“The website featured a game download page with two buttons: Free Download Now and Direct Download. Both buttons had the same functionality: they redirected users several times to other malicious websites,” the report explains.
Once the victim runs the game, the trap is sprung. The malware leverages a modified version of the game’s own engine to execute malicious code in the background. This loader, dubbed RenEngine, is designed to be stealthy and effective.
Kaspersky researchers note that this isn’t the first time they’ve seen this threat. “Our solutions began detecting the first samples of the RenEngine loader in March 2025, when it was used to distribute the Lumma stealer,” the report states.
While earlier versions distributed the Lumma stealer, the latest wave has shifted tactics. The current campaign is deploying ACR Stealer, a nasty piece of malware designed to harvest passwords, cookies, and crypto wallets from infected machines.
The campaign has cast a wide net, affecting users across the globe. While Russia appears to be the primary target, accounting for over 38% of infections, the malware has also hit users in Brazil (11.52%), Turkey (6.29%), and strictly monitored regions like Vietnam and China.
Related Posts:
- Your Smart TV is Watching You: New Research Reveals the Extent of ACR Tracking
- Amatera Stealer Unveiled: Rebranded ACR Stealer Now More Evasive, Targeting Your Data
- Apple Hit with Second Lawsuit Alleging AI Training Used Pirated Books from “Shadow Libraries”
- Hackers make poisoned Final Cut Pro specifically to target Mac users
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
