New Malware Campaign Targets Gamers with RenEngine Loader
Threat actors are exploiting gaming communities by distributing pirated games laced with a new malware known as RenEngine, first identified by Howler Cell researchers in February 2026. While security solutions from Kaspersky detect this loader as Trojan.Python.Agent.nb, it has been in use since March 2025 to spread various malicious payloads, including the Lumma stealer and the more recent ACR Stealer.
This attack operates by masquerading pirated games as legitimate downloads on popular websites. Upon execution, the affected games initiate a deceptive loading process while the actual malicious code activates in the background. The malware employs Python scripts to circumvent sandbox environments and retrieves its payload from encrypted files. The malicious code takes form through a series of stages, starting with RenEngine and culminating in payloads that siphon sensitive information.
The RenEngine malware has been spread through a range of seemingly legitimate channels, affecting users primarily in Russia, Brazil, Turkey, Spain, and Germany. The attackers utilize a variety of methods, including fake download links for popular software such as CorelDRAW. This campaign illustrates the common tactic of leveraging pirated software to distribute malware, targeting unsuspecting users who seek free downloads.
The significance of this threat lies in its potential to compromise sensitive user data, especially in gaming communities where piracy is common. Cybersecurity professionals must focus on educating users about the dangers of downloading unverified software and encourage the use of reliable antivirus solutions to mitigate such risks.
Protection mechanisms, such as advanced behavioral detection offered by cybersecurity solutions, can help prevent these types of infections. Implementing robust monitoring and maintaining updated security measures are prudent steps for defending against this evolving threat landscape.
Indicators of Compromise (IOCs):
Malware Hashes:
- 12EC3516889887E7BCF75D7345E3207A – setup_game_8246.zip
- D3CF36C37402D05F1B7AA2C444DC211A – init.py
- 1E0BF40895673FCD96A8EA3DDFAB0AE2 – cc32290mt.dll
- 2E70ECA2191C79AD15DA2D4C25EB66B9 – Lumma Stealer
Malicious URLs:
- hxxps://hentakugames[.]com/country-bumpkin/
- hxxps://dodi-repacks[.]site
- hxxps://artistapirata[.]fi
- hxxps://gamesleech[.]com
- hxxps://localfxement[.]live
Lumma Command and Control:
- hxxps://steamcommunity[.]com/profiles/76561199822375128
