Pirated Games Fuel Sophisticated Malware Campaign Delivering RenEngine Loader, HijackLoader, and Lumma Stealer

CyberDefender 9 mins0

In early 2026, cybersecurity researchers uncovered a large-scale malware campaign leveraging pirated game downloads to distribute a complex, multi-stage malicious ecosystem centered around the RenEngine loader. Initially identified as a novel loader family in March 2025, RenEngine has since evolved to deliver advanced stealers such as Lumma and ACR Stealer, often through sophisticated loader frameworks like HijackLoader. This campaign illustrates how seemingly innocuous content (e.g., “free games”) can mask deeply technical infection chains designed to evade detection and quietly harvest sensitive data.

Campaign Overview

At its core, the campaign exploits the trust of users seeking free or cracked software. Threat actors craft site landing pages or download portals that mimic legitimate gaming resources. When users download these archives and execute the contents, the malware chain triggers—initially masquerading as a game engine only to launch malicious code.

Two primary threat components are deployed:

  • RenEngine loader – a Python-based loader hidden in modified game launchers.
  • HijackLoader – a refined loader/injector that later stages deploy.
  • InfostealersLumma Stealer and ACR Stealer as final payloads.

Initial Infection Vector: Fake “Game” Launchers

Attackers host a malicious archive on file-sharing services like MEGA, delivered through a download page with euphemistic buttons such as “Free Download Now”. Once a user launches the alleged game executable, the UI displays a fake loading screen stalled at 100%, while the embedded malware routine begins execution in the background.

Decompiled Engine Scripts

Inside the downloaded “game” bundle are Python scripts intended to imitate a legitimate Ren’Py engine launcher. Key functions found in these scripts include:

  • is_sandboxed() – checks for virtualized or sandboxed environments.
  • xor_decrypt_file() – decrypts encrypted payloads on disk.

The script:

  1. Decrypts a bundled ZIP archive using XOR.
  2. Unpacks it to a hidden .temp directory.
  3. Loads and executes the decrypted files silently, defeating casual inspection.

This stage performs sandbox evasion and ensures that only real user environments progress further, often escaping automated detection tests.

HijackLoader: The Modular Second-Stage Loader

RenEngine’s real sophistication emerges when it loads HijackLoader, a modular loader family first spotted in 2023. HijackLoader is notable for:

  • Using DLL hijacking and process hollowing techniques to evade detection.
  • Injecting its payload into legitimate system processes.
  • Supporting multiple modules for different purposes.

The loader’s mechanics can be summarized as:

  1. The embedded payload (from the .temp directory) overwrites a standard system DLL (e.g., dbghelp.dll) in memory.
  2. HijackLoader then prepares configuration parameters for the next stage.
  3. Using Windows APIs such as ZwCreateSection and ZwMapViewOfSection, the loader reconstructs PE files in memory without writing them to disk (a common stealth technique).
  4. It then executes the payload within child processes like explorer.exe, evading file-based detection.

These steps demonstrate an advanced use of in-memory injection, shared memory sections, and process creation control to reduce observable footprint on disk.

Final Payloads: Information Stealers

Lumma Stealer

Lumma Stealer is a widely observed malware family used by affiliates as part of Malware-as-a-Service (MaaS). It targets:

  • Browser credentials, cookies, and histories.
  • Cryptocurrency wallets and extensions.
  • System information and local files.

Key capabilities include:

  • Direct system calls instead of WinAPI to evade behavioral detection.
  • Obfuscation and delayed execution to appear benign to security solutions.
  • Exfiltration via HTTP POST to remote C2 infrastructure or fallback via legitimate platforms (Steam, Dropbox, Telegram).

Distribution methods for Lumma often include phishing, fake CAPTCHAs, malicious mods, or cracked binaries, making it flexible and persistent in various high-volume campaigns.

ACR Stealer

In later stages of the campaign (notably in 2026), the final payload has shifted towards ACR Stealer, another infostealer with broad data harvesting capabilities. ACR Stealer similarly extracts:

  • Browser profiles and credentials.
  • Wallet extensions and crypto-related artifacts.
  • System metadata.

ACR’s initial distribution spike was observed in early 2025, often distributed by loaders such as HijackLoader and via cracked software campaigns.

Technical Indicators and IoCs

Beyond behavior, analysts have extracted several high-confidence Indicators of Compromise:

  • Filenames like setup_game_8246.zip indicating malicious archive mixes.
  • Hashes matching stealer families (Lumma, ACR).
  • Known malicious host patterns such as dodi-repacks.site and go.zovo.ink linked to initial downloads.

These IoCs help threat hunters correlate large datasets and identify campaigns across infrastructure footprints.

Geographic and Distribution Patterns

Telemetry data shows that this infection campaign is broad and non-targeted, affecting users in:

  • Russia
  • Brazil
  • Turkey
  • Spain
  • Germany
  • Others worldwide.

The pattern suggests mass distribution via public download platforms, not highly targeted espionage.

Defense and Mitigation

From a defensive posture, key mitigations against RenEngine-style campaigns include:

  • Avoid pirated or cracked software, which remains the primary bait vector.
  • Use behavioral detection systems that flag suspicious process injection or DLL manipulation.
  • Employ sandbox and VM detection mitigation, as early loader stages often check for automated environments.
  • Maintain updated endpoint detection and response tools that monitor for stealer behavior and outbound traffic anomalies.

Security teams can also incorporate known IoCs into SIEM and EDR tools to increase automated detection probability.

Conclusion

The RenEngine malware campaign illustrates an advanced, multi-stage infection pipeline where threat actors leverage legitimate-looking content to trigger deep internal compromise. Through layered loaders like RenEngine and HijackLoader and the final deployment of high-risk stealers like Lumma and ACR, attackers can exfiltrate sensitive data with stealth and persistence.

Understanding the technical nuances of this campaign—from sandbox evasion to in-memory injection and sophisticated exfiltration techniques—is essential for defenders in both enterprise and research contexts.

CyberDefender