Pirated PC Games Deliver Password-Stealing Malware via RenEngine Loader
A new malware campaign, dubbed RenEngine loader, is distributing password-stealing malware by hiding it within pirated PC games, infecting over 400,000 devices globally.
A widespread malware campaign, identified as the "RenEngine loader," is actively distributing potent password-stealing malware by embedding it within pirated PC games. Researchers estimate that this campaign has already infected over 400,000 devices worldwide, with a significant portion, around 30,000 users, located in the United States.
The infection vector relies on social engineering and the allure of free, albeit illicit, software. Users are enticed to download cracked or repacked installers for popular game franchises such as Far Cry, Need for Speed, FIFA, and Assassin’s Creed from unofficial sources. While the pirated games appear to function normally, the malware silently installs itself in the background, initiating a malicious infection chain.
The malware strain is referred to as "RenEngine loader" and has connections to "Ren'Py," a legitimate and open-source engine commonly used for developing visual novel games. Attackers are not compromising Ren'Py itself but are instead abusing its legitimate launcher as a delivery mechanism. This allows them to disguise malicious code within the seemingly harmless game installation process.
When a user launches the pirated game, the compromised Ren'Py launcher decompresses the game files and discreetly executes the embedded malware. The primary payload observed in this campaign is the ARC infostealer. ARC is designed to exfiltrate a wide range of sensitive information, including saved browser passwords, cookies, cryptocurrency wallet details, autofill data, system configurations, and clipboard contents.
However, the RenEngine loader is not limited to distributing ARC. Threat actors have also been observed deploying other malicious payloads, such as the Rhadamanthys stealer, the Async Remote Access Trojan (RAT), and Backdoor.XWorm. The inclusion of RATs and backdoors significantly expands the potential damage, enabling attackers to gain full remote control over compromised machines, leading to account takeovers, financial fraud, and deeper system compromise.
Users may remain unaware of the infection until their credentials have been stolen or their system begins exhibiting unusual behavior. The campaign highlights a persistent threat where the desire for free software directly leads to severe security risks. The effectiveness of this method underscores the importance of obtaining software from legitimate sources.
To mitigate the risks associated with such campaigns, users are strongly advised against downloading installers from unofficial websites. Maintaining up-to-date anti-malware protection is crucial for detecting and blocking malware loaders. Furthermore, keeping all software, including operating systems and security programs, updated with the latest patches is essential for closing potential security gaps.
Malwarebytes offers resources for users who suspect their systems may be infected and provides guidance on cleaning their machines. The campaign serves as a stark reminder that "free" cracked software often comes at the steep price of compromised security and stolen data, emphasizing the need for vigilance in the digital landscape.