Cybersecurity Experts Uncover a Long-Running Malware Campaign
Cybersecurity specialists have recently turned their attention to a protracted hacking campaign cleverly disguised as installers for pirated games. Within these distributions lies a malicious component known as the RenEngine Loader, which operates stealthily, allowing it to evade detection by system owners for extended periods.
The scheme is elegantly simple. A user, lured by the promise of a “free” game, reaches for a torrent, launches the installer, and receives exactly what they were seeking. The game starts, the menu opens, and no alarming signals are triggered.
However, behind the scenes, the RenEngine Loader quietly embeds itself, ensuring that gameplay remains uninterrupted. It does not disrupt the system or demand any immediate actions, allowing it to go unnoticed. Its primary objective is to lay the groundwork for future exploits.
Researchers from Cyderes have determined that this campaign has been active since at least April 2025 and shows no signs of abating. The malicious code masquerades as an innocuous launcher based on Ren’Py, leading users to perceive the infection as a natural part of the installation process. This aspect renders the threat particularly insidious; users remain confident that everything is proceeding as planned while their systems have already welcomed an unwelcome guest.
Once established within the system, the loader plays a long game. It does not necessarily exfiltrate data immediately; instead, it often opens a channel for subsequent actions, pulling in additional modules.
In conjunction with HijackLoader, the system becomes susceptible to stealers designed to harvest credentials, passwords, and other information that typically raises little suspicion. Externally, everything appears unchanged—the game continues to entertain, while background activity remains undetected.
The bait consists of projects that consistently rank high in pirated search queries. Reports frequently mention titles from Electronic Arts and Ubisoft, alongside well-known franchises such as Far Cry, FIFA, Need for Speed, and Assassin’s Creed. These names regularly appear in repacks, allowing infected builds to blend seamlessly into the general flow and evade scrutiny. As the game launches without a hitch, users may enjoy weeks of what they believe to be a successful “savings” endeavor, oblivious to the foreign code lurking within their systems.
Statistics in such cases require careful interpretation. Telemetry has recorded over 400,000 inquiries related to this distribution chain. While this does not equate directly to the same number of infected computers, the scale remains impressive. The average detection rate hovers around 5,000 incidents per day, with Russia ranking fourth in these observations, trailing behind India, the United States, and Brazil.
