RenEngine

RenEngine is a malware loader/downloader family identified by Securelist/Kaspersky as a distinct loader circulating since March 2025. It has been observed in the wild in at least two distribution contexts directly mentioned in the content: malicious Steam Workshop/Wallpaper Engine campaigns and mass campaigns distributing pirated games or cracked software via trojanized launchers based on the Ren’Py engine. In the Steam Workshop activity, RenEngine was one of several malware families delivered through malicious Wallpaper Engine “application wallpapers,” alongside DarkKomet, Lumma, and Vidar; that broader activity primarily targeted gamers, especially in China and Russia, and abused Wallpaper Engine’s ability to execute bundled Windows code. In the pirated software campaign, RenEngine was embedded in modified game launchers and disguised behind a fake loading screen while the infection chain executed in the background. Victims were redirected through multiple sites or fake download buttons, including delivery via file-hosting services such as MEGA, to obtain archives containing trojanized games or software.

The loader is described as modular and customizable. Its initial stages use Python scripts that simulate a game download/loading process, perform environment and sandbox checks via functions such as is_sandboxed, and decrypt subsequent stages from encrypted content using routines such as xor_decrypt_file. The decrypted content is unpacked to a temporary directory and execution continues through DLL hijacking. Reported components and artifacts in the chain include legitimate-looking files such as Ahnenblatt4.exe/DKsyVGUJ.exe, borlndmm.dll, a patched cc32290mt.dll, use of dbghelp.dll as a container for decrypted shellcode, and retrieval of shellcode from gayal.asp. The first-stage loader launched through this process is identified as HijackLoader, which then uses encrypted configuration, environment variables, suspended-process creation, Windows NT APIs such as ZwCreateSection and ZwMapViewOfSection, transactional file techniques, and shared-memory injection to stage and inject the final payload into trusted processes including explorer.exe.

RenEngine has been used to deliver credential- and data-theft malware. Earlier iterations were primarily used to distribute Lumma Stealer; more recent incidents delivered ACR Stealer, and the content also states Vidar was observed in the campaign. The delivered stealers are described as stealing passwords, cryptocurrency wallets, and session cookies. Kaspersky detections explicitly associated with RenEngine in the content are Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen. Geographic exposure mentioned for RenEngine-related incidents includes Russia, Brazil, Spain, Turkey, and Germany. The content does not attribute RenEngine to a specific named threat actor.