Rhadamanthys Infostealer Hides in Ren’Py Visual Novel Games, Deploys Malware via Fake 1 Million Second Loading Screen

Researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a new malware campaign in which the notorious Rhadamanthys Infostealer is distributed under the guise of legitimate games built with Ren’Py, an open-source visual novel engine popular among indie developers.

According to AhnLab, “The Infostealer malware Rhadamanthys is being distributed disguised as a game created with Ren’Py,” which allows attackers to reach unsuspecting users through what appears to be harmless game files.

Ren’Py, built on Python, is widely used across platforms such as Steam, making this an ideal vehicle for threat actors to disguise malicious loaders as indie or adult games. “Because Ren’Py is open-source and can be run on various operating systems, it is widely used among indie developers,” ASEC noted.

The attack begins when users download what appears to be a “Free Download Files.zip” archive from MediaFire, often shared on forums promoting cracked or adult games. Inside the archive is a seemingly legitimate game launcher named lnstaIer.exe, which, when executed, silently triggers the Rhadamanthys infection chain.

“This attack disguises itself as a normal game file, but when executed, a malicious loader is activated which ultimately runs the Rhadamanthys Infostealer,” the report explains.

The fake game uses Ren’Py’s Python-based structure to embed malicious scripts inside essential game components such as script.rpy and __init__.py. These files are loaded automatically during game execution, allowing the malware to activate in the background without raising suspicion.

ASEC notes that “Threat actors can insert a malicious script into this file to manipulate the execution of the malicious code.” In this campaign, “the threat actor used this execution mechanism to write a malicious script in the script.rpy file and used it to execute additional malware that exists in the same path.”

Once executed, the launcher loads lnstaIer.py, which searches for the game folder and references the archive.rpa file — the compiled package containing the game’s scripts. The malware decompiles this archive and triggers the modified script.rpy, which in turn imports the malicious “init.py” script located in the Ren’Py python-packages directory.

ASEC explains that “The reason why the ‘init.py’ file is imported automatically is because Ren’Py supports users to create and use modules and packages created by users themselves.”

This script begins collecting information about the system, including virtual machine indicators, internet connectivity, and hardware specifications, before decrypting a hidden .key file containing configuration data. That data reveals the malware payload name, password, and executable filename, all encoded in Base64 JSON format.

After decryption, the malware creates a temporary folder, extracts a seemingly benign file named UIS4tq7P.exe, and executes it alongside iviewers.dll — a pair that functions as a loader for the Rhadamanthys payload.

“When the ‘UIS4tq7P.exe’ file is executed, it loads the ‘iviewers.dll’ file located in the same path and then creates a .NET process as a child process. Afterward, the Rhadamanthys malware is injected into this process,” the report details.

To keep users unaware of the infection, the malware displays a fake game loading screen immediately after launch. The screen includes an artificial delay of nearly one million seconds, preventing users from realizing that no real game content is loading.

This deceptive visual, combined with Ren’Py’s legitimate game interface, makes the malware distribution particularly convincing — especially for users accustomed to downloading free visual novels or indie games from community forums.

While this campaign focused on Rhadamanthys, AhnLab warns that similar infiltration vectors are being used to distribute LummaC2 Infostealer and other credential-harvesting malware. The report highlights that “in forums that share both legal and illegal adult games, there have been cases where a game developer’s account was compromised and LummaC2 Infostealer was distributed instead of the legitimate game files.”

This suggests that even legitimate developers and their distribution accounts can be weaponized to deliver malware through trusted community channels.

Related Posts:

• New Cyber Threat: RHADAMANTHYS Infostealer Targets Israel
• Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas
• Rhadamanthys Stealer Returns: Copyright Phishing Targets Europe
• Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts
• Hackers Target System Admins with Fake PuTTY Website, Deploy Rhadamanthys Stealer