Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

RenEngine Loader

RenEngine Loader is a previously undocumented malware loader used in large-scale campaigns (observed since at least April/March 2025) to deliver next-stage payloads, notably ACR Stealer and Lumma Stealer. Cyderes and Cato Networks reported RenEngine Loader and another loader (Foxveil) being used to deliver follow-on payloads; in RenEngine Loader intrusions, it commonly stages a secondary loader referred to as Hijack Loader/HijackLoader, which then launches the final stealer payload.

Distribution and infection vector: RenEngine Loader has been delivered via illegally modified/trojanized game installers distributed on piracy platforms, including pirated copies of popular games (e.g., Assassin’s Creed, FIFA, Far Cry). The malicious logic is concealed within Ren’Py launchers; when the victim installs and launches the trojanized game, a hidden Python script executes to initiate the loader chain.

Behavior and capabilities: RenEngine Loader performs sandbox checks before executing the next stage (HijackLoader). HijackLoader adds anti-analysis measures (including GPU virtualization checks and hypervisor detection) and uses process doppelganging prior to launching the final payload (e.g., ACR Stealer). In separate reporting, RenEngine Loader was also observed in delivery chains (e.g., via game cheats and pirated software such as CorelDRAW) that ultimately deployed Lumma Stealer through Hijack Loader.

Impact/targeting: Reporting cited more than 400,000 machines targeted/impacted globally. The most targeted countries reported include India, the United States, and Brazil; other telemetry cited impacts in Russia, Brazil, Turkey, Spain, Germany, Mexico, Algeria, Egypt, Italy, and France.

Associated payloads (as described in the content): ACR Stealer is delivered via HijackLoader and is described as exfiltrating browser credentials and cookies, system information/details, clipboard contents, and cryptocurrency wallet data.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1189Drive-by CompromiseEvidence1

"...illegally modified game installers distributed via piracy platforms..."

T1195.002Compromise Software Supply ChainEvidence1

"...concealment of illicit logic within the Ren'Py launchers of pirated versions of widely used games... Installing and launching the game triggers the execution of a hidden Python script..."

Execution

1 technique
T1059.006PythonEvidence1

"...launching the game triggers the execution of a hidden Python script..."

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

"distributed via a heavily obfuscated Inno Setup installer"; "Delivered via a downloader in a ZIP archive"; "illegally modified game installers distributed via piracy platforms"

T1497Virtualization/Sandbox EvasionEvidence1

"...RenEngine Loader to conduct sandbox checks... Apart from identifying GPU virtualization and hypervisor activity..."

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1

"...RenEngine Loader to conduct sandbox checks... Apart from identifying GPU virtualization and hypervisor activity..."

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Feb 15, 2026
Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Loader observed since March 2025 distributing Lumma Stealer via game-cheat/pirated-software lures; stages Hijack Loader as a secondary loader which then deploys Lumma Stealer.

Read more
the hacker newsNews
Feb 12, 2026
ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories

Loader active since April 2025, distributed via illegally modified game installers on piracy platforms; decrypts/stages payloads and hands off execution to Hijack Loader as a modular second stage, with the end goal of deploying ACR Stealer.

Read more
the hacker newsNews
Feb 12, 2026
ThreatsDay Bulletin: AI Prompt RCE, Claude 0-Click, RenEngine Loader, Auto 0-Days & 25+ Stories

Loader distributed via trojanized/pirated game installers; decrypts and stages payloads, then transfers execution to Hijack Loader as a second stage; used to ultimately deploy an information stealer (ACR Stealer).

Read more
scworldNews
Feb 10, 2026
Global RenEngine Loader attack campaign examined | SC Media

Loader malware embedded in Ren'Py launchers of pirated games; executes hidden Python to perform sandbox checks and then runs a more advanced HijackLoader variant to ultimately deliver ACR Stealer.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.