Kaspersky Alerts Users to RenEngine Malware Spread via Pirated Software
Kaspersky’s Threat Research team has revealed the presence of the malicious RenEngine loader, first detected in March 2025, targeting users seeking unlicensed software, including graphic design tools such as CorelDRAW, not limited to pirated games.
The malware campaign involves dozens of websites distributing the threat, with attacks observed in Russia, Brazil, Turkey, Spain, Germany, and other countries. The spread appears opportunistic and random, rather than specifically targeted.
Initially, RenEngine delivered the Lumma Stealer malware, while current attacks distribute ACR Stealer as the final payload, with some infection chains also carrying Vidar. The malware exploits modified versions of games built on the Ren’Py visual novel engine, displaying a fake loading screen while malicious scripts run in the background.
Kaspersky emphasizes that its security solutions have been protecting users since the malware’s first detection and urges caution against downloading software or games from untrusted sources.