RenEngine Loader Exploits Ren’Py Game Launchers to Steal Credentials
A new malware campaign, dubbed RenEngine, has been exploiting cracked game installers to deliver credential-stealing payloads. This sophisticated loader masquerades as a legitimate Ren’Py game launcher, allowing it to evade detection while compromising user systems.
Infection Mechanism:
The attack begins when a user downloads and executes a pirated game installer. Within the game folder, the installer includes a genuine Ren’Py launcher named `Instaler.exe`. However, this launcher is manipulated to execute a compiled script from `archive.rpa`. Notably, the build omits plain `.rpy` files, retaining only `.rpyc` files, which reduces visibility during scans.
RenEngine then reads a local `.key` file, decodes it from Base64 into JSON format, and uses the extracted password to XOR-decrypt an embedded archive. This process culminates in the execution of the next stage of the malware. To evade detection, the loader performs environment checks and will terminate silently if it detects a virtual machine.
Multi-Stage Execution Chain:
Once the initial stage is complete, RenEngine decrypts and launches the second stage, introducing HijackLoader through DLL side-loading and module stomping techniques. HijackLoader has been observed with enhanced anti-analysis modules, including checks for GPUs, hypervisor names, and VM-linked MAC addresses. This dual-loader setup allows attackers to adapt quickly to changing defenses by swapping payloads as needed.
The final payload observed in this chain is ACR Stealer, designed to collect browser passwords, cookies, cryptocurrency wallet data, and other system details. This information is then transmitted to attacker-controlled infrastructure. In some instances, other stealers like Vidar have also been deployed.
Scope and Impact:
The RenEngine campaign has been active since at least April 2025 and continues to pose a significant threat. Researchers estimate that approximately 400,000 victims worldwide have been affected, with about 5,000 new infections occurring daily. The highest concentrations of victims are in India, the United States, and Brazil.
This large-scale operation leverages social trust within piracy communities, making it challenging to mitigate through traditional patching methods. The use of legitimate-looking game launchers and multi-stage execution chains underscores the sophistication of this campaign.
Recommendations:
To protect against such threats, it is crucial to treat pirated installers and mods as high-risk and avoid their use. Organizations should implement security measures to block these files where possible. Monitoring for Ren’Py launchers unpacking RPA content, Base64/XOR staging, and aggressive virtual machine checks can help in early detection. Additionally, correlating these activities with suspicious DLL side-loading and sudden credential theft traffic across endpoints can aid in identifying and mitigating infections.
