EXECUTIVE SUMMARY:
A widespread malware campaign leverages pirated and cracked software, particularly game installers, to infect systems with a complex multi-stage infection chain. At its core is a previously undocumented loader dubbed RenEngine, which is bundled within compromised RenPy based game launchers and similar pirated application installers. Initially observed distributing the Lumma stealer, this loader has more recently been associated with delivery of the ACR Stealer infostealer, indicating an ongoing and large-scale operation designed to harvest sensitive user information.
The attack begins with victims downloading and executing what appears to be a legitimate game installer; embedded within this is a Python‑based malicious script that imitates normal loading behavior while decrypting and unpacking payloads. The installer triggers HijackLoader, a modular loader that abuses DLL side‑loading and in‑memory patching to evade detection. HijackLoader components create child processes, stage and decrypt payloads using transactional Windows API techniques, and inject code into trusted processes such as explorer.exe for stealthy execution. Depending on configuration, execution paths vary but consistently culminate in deployment of an information‑stealing payload like Lumma or ACR Stealer. These final payloads extract credentials, cookies, cryptocurrency wallet data, and other system details before sending them to attacker‑controlled infrastructure. The campaign also uses dozens of fraudulent websites to host infected installers and displays a global distribution pattern affecting users across multiple regions.
This multi‑stage loader campaign illustrates a sophisticated misuse of cracked software distribution channels to orchestrate large‑scale malware infections. The combination of deceptive social engineering, advanced loader frameworks, and modular payload delivery underscores the continued evolution of cyber‑criminal distribution tactics. To mitigate exposure, users and organizations should avoid downloading unverified software from untrusted sources, enforce strict application whitelisting and endpoint protections, and monitor for activity indicative of credential theft or unauthorized data exfiltration.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
| Defense Evasion | T1055.001 | Process Injection | Dynamic-link Library Injection |
| T1562.001 | Impair Defenses | Disable or Modify Tools | |
| Credential Access | T1003.006 | OS Credential Dumping | DCSync |
| Collection | T1113 | Screen Capture | - |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Defense Evasion | E1027 | Obfuscated Files or Information |
| F0015 | Hijack Execution Flow | |
| E1055 | Process Injection | |
| F0005 | Hidden Files and Directories | |
| B0037 | Bypass Data Execution Prevention | |
| Execution | E1059 | Command and Scripting Interpreter |
| E1569 | System Services |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/surge-in-ai-driven-phishing-attacks/
https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/