The High Cost of ‘Free’: How PiviGames Became a Lovecraftian Malware Hub for HijackLoader and ACRStealer
Ddos 
In the world of PC gaming, the lure of “free” pirated content has always carried risks. However, a recent investigation into the Spanish gaming platform PiviGames reveals that the cost of a free download might be much higher than a simple copyright strike. According to a detailed report by G DATA, what was once a popular source for pirated games has evolved into a “full-blown malware distribution hub.”
The investigation began in November 2025 after a distressed user on Reddit’s r/antivirus community reported a digital “nightmare.” After attempting to download a game from PiviGames, the user found their PC acting as a gateway for an unknown infostealer.
As the report notes, “The initially reported file was masquerading as a Python-based setup file but upon investigation, the downloaded file had been changed into a different one. This signaled to us that the URL is still live and actively infecting.”
The victim described a rapid effect: first, a password reset for a Ubisoft account, followed by a fully compromised Steam account and multiple service change requests. Even after running antivirus scans and factory resetting the PC, the trauma of the breach lingered.
The PiviGames site doesn’t just host malicious files directly; it uses sophisticated “malvertising” tactics. When a user first visits, a hidden JavaScript file named pgedshop.js checks the browser’s cookies.
On the first click, the user is redirected to an advertising network. On subsequent visits, the script tracks the user’s “mark” to ensure they are funneled toward a specific destination: a MediaFire link hosting a ZIP archive titled “Full Version Setup 6419 Open.zip.”
Inside that ZIP file is where the real danger lies. The researchers discovered a complex piece of malware known as HijackLoader. It uses a technique called “DLL sideloading,” where a legitimate-looking game launcher (Setup.exe) is used to trick the system into running a malicious file (Conduit.Broker.dll).
The G DATA researchers described the inner workings of this malware as a daunting challenge for analysts: “The ti64 module is a big piece of spaghetti software in the form of pure shellcode… Renaming one variable in the decompiler freezes the application for three seconds.”
This “spaghetti” code is actually a highly organized orchestrator. It can detect antivirus products, bypass User Account Control (UAC), and even remove “hooks” that security software uses to monitor system activity.
Ultimately, the goal of this elaborate multi-stage infection is to deliver a payload—in this case, ACRStealer. This 64-bit infostealer is designed to harvest credentials, session tokens, and personal data from the infected machine, explaining why the Reddit user saw their gaming accounts compromised so quickly.
The researchers even labeled this complex web of code as “Lovecraftian malware,” noting that analyzing it was “an exercise in patience.”
For gamers, the lesson is clear: there is no such thing as a free lunch. Platforms like PiviGames may offer attractive content, but they have become primary vehicles for sophisticated malware groups. To stay safe:
- Avoid pirated software: The “crack” or “setup” file is often the primary infection vector.
- Use Multi-Factor Authentication (MFA): Even if an infostealer grabs your password, MFA can prevent them from taking over your accounts.
- Trust Your Antivirus: If a download requires you to disable your security software or ignore “suspicious file” warnings, it is almost certainly malicious.
As this G DATA report shows, a single “careless click” can lead to a full system factory reset and the loss of years of gaming progress.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
