• Table of Contents Incident analysis Disguise as a visual novel “Game” source files analysis HijackLoader Not only games Distribution Recommendations for protection Indicators of compromise Authors Denis Brylev Pavel Sinenko Maxim Starodubov Artem Ushkov Weoften describe casesof malware distribution under the guise of game cheats and pirated software. • Sometimes such methods are used to spread complex malware that employs advanced techniques and sophisticated infection chains. • In February 2026, researchers from Howler Cellannounced the discovery of a mass campaigndistributing pirated games infected with a previously unknown family of malware. • It turned out to be a loader called RenEngine, which was delivered to the device using a modified version of the Ren’Py engine-based game launcher. • Kaspersky solutions detect the RenEngine loader as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen. • However, this threat is not new.
Article Summaries:
- In February 2026, Kaspersky researchers revealed a large‑scale malware campaign that spreads through pirated games. The loader, dubbed RenEngine, hijacks a modified Ren’Py game launcher to infect devices. First spotted in March 2025, RenEngine has already delivered the Lumma and ACR Stealer password‑stealing payloads. The infection chain begins with a Python script that mimics a game’s loading screen, decrypts a ZIP archive, and deploys a “HijackLoader” module that injects the final payload into memory. Kaspersky’s detection labels the loader as Trojan.Python.Agent.nb/HEUR:Trojan.Python.Agent.gen, underscoring the evolving threat of “free” game downloads.
Sources: