RenEngine-Loader Trojan in Pirated Software Steals 400,000 Passwords

A malware campaign known as RenEngine has compromised more than 400,000 systems globally by embedding a dual-stage loader within pirated versions of popular AAA video games. Cybersecurity researchers at Cyderes, who identified the threat, report that the operation has been active since at least April 2025 and continues to infect over 5,000 new devices every day.

Technical Execution and Evasion

The RenEngine loader operates by exploiting the Ren’Py engine, a legitimate development tool used primarily for visual novel games. Attackers package malicious scripts within modified game archives for titles including *Far Cry*, *FIFA*, *Need for Speed*, and *Assassin’s Creed*. When a user executes the game launcher, the system initiates a multi-stage process that begins by decompressing hidden archives.

Before deploying the final payload, the loader performs a series of sandbox checks. Using a multi-factor scoring system, the malware evaluates the target environment based on CPU cores, available RAM, disk space, BIOS serial numbers, and existing registry keys. If the system is deemed suitable, the loader decrypts a second-stage payload identified as HijackLoader. This module is designed for stealth, employing techniques such as process hollowing, DLL side-loading, and call stack spoofing to remain undetected by security software.

Global Distribution and Telemetry

Cyderes researchers tracked the campaign’s reach using telemetry data embedded within the malware, which was updated in October 2025 to monitor infection statistics. Data indicates that the malware logs between 4,000 and 10,000 unique visitors daily. The highest density of infections has been observed in India, the United States, and Brazil. Other significantly affected regions include the Russian Federation, Egypt, Turkey, Spain, Indonesia, Pakistan, and France.

Analysts linked the distribution of these infected files to the website “dodi-repacks[.]site.” The site has been noted in previous security reports for hosting malicious software disguised as legitimate game content.

Operational Persistence

The campaign persists through a combination of social engineering and technical obfuscation. By bundling malicious payloads with functional, pre-activated game files, attackers rely on users to bypass standard security warnings during installation. Once the RenEngine loader is active, it utilizes Base64 and XOR-encoded configuration files to manage its communication with command-and-control infrastructure.

While researchers have identified the specific execution chain and telemetry patterns, the operators behind the campaign continue to maintain active infrastructure to support the ongoing distribution of the loader. Security teams maintain that the primary vector remains the download and manual execution of unauthorized game installers from third-party piracy platforms.