The game is over: when “free” comes at too high a price. What we know about RenEngine

Researchers observed a mass campaign distributing pirated games that deliver a previously unknown loader, RenEngine, via a modified Ren’Py-based launcher which installs HijackLoader and ultimately deploys stealers such as Lumma and ACR Stealer. Kaspersky detects samples as Trojan.Python.Agent.nb / HEUR:Trojan.Python.Agent.gen and notes extensive use of XOR decryption, DLL overwriting, process injection, and transacted file techniques. #RenEngine #HijackLoader

Keypoints

Attackers distributed RenEngine disguised as pirated games and software (including fake CorelDRAW releases) on dozens of websites and redirected download links to infected archives.
Initial infection uses Python scripts embedded in the game files that simulate endless loading, check for sandboxes, XOR-decrypt payloads, and unpack components into a .temp directory.
The attack chain leverages a modified legitimate executable and patched DLL (cc32290mt.dll) to load decrypted shellcode into a system library (dbghelp.dll) in memory, producing the HijackLoader implant.
HijackLoader is modular: it encrypts configuration (XOR), writes staged payloads to disk via Windows transacted file operations, maps them into memory (ZwCreateSection / ZwMapViewOfSection), and injects into a child explorer.exe process.
Final payloads observed include the Lumma stealer (earlier) and ACR Stealer (current campaign); Vidar was also found in some incidents.
Incidents are broad (not targeted) with highest detection counts in Russia, Brazil, Türkiye, Spain, and Germany; mitigation advice emphasizes installing software from trusted sources and using behavior-based security.

MITRE Techniques

[T1204 ] User Execution – Socially engineered downloads and fake game launch trigger execution: (‘When the “game” was launched, the download process would stop at 100%… the “real” malicious code just started working.’)
[T1036 ] Masquerading – Malware distributed under the guise of hacked/pirated games and legitimate software such as CorelDRAW and Ahnenblatt: (‘attackers distributed the malware under the guise of a hacked game on a popular gaming web resource.’)
[T1027 ] Obfuscated Files or Information – XOR encryption/decryption used for payloads and configuration: (‘is_sandboxed function for bypassing the sandbox and xor_decrypt_file for decrypting the malicious payload.’ )
[T1574 ] Hijack Execution Flow – Overwriting and using a system DLL (dbghelp.dll) as an in-memory container to launch the first-stage payload: (‘The dbghelp.dll system library is used as a “container” to launch the first stage of the payload. It is overwritten in memory with decrypted shellcode…’)
[T1055.012 ] Process Hollowing / Section Mapping – Staged payload written via transacted file, loaded with ZwCreateSection and mapped into a child process, then executed in explorer.exe: (‘the payload is written to a temporary file on disk using the transaction mechanism… After that, the payload is loaded from the temporary file into the address space of the current process using the ZwCreateSection call… injects the payload into it by creating a shared memory region with the ZwMapViewOfSection call.’)

Indicators of Compromise

[File hash ] Distributed/infected artifacts – 12EC3516889887E7BCF75D7345E3207A (setup_game_8246.zip), 1E0BF40895673FCD96A8EA3DDFAB0AE2 (cc32290mt.dll), and 2 more hashes.
[File name ] Malicious or modified components used in the chain – DKsyVGUJ.exe (renamed Ahnenblatt4.exe), cc32290mt.dll (patched library), and other modules such as dbghelp.dll, pla.dll, hap.eml.
[Malicious domains ] Distribution sites hosting infected archives – hxxps://hentakugames[.]com/country-bumpkin, hxxps://dodi-repacks[.]site, and 10 more domains used to distribute RenEngine.
[C2 / callback domains ] Lumma stealer command-and-control and profile links – hxxps://steamcommunity[.]com/profiles/76561199822375128, hxxps://localfxement[.]live, and 8 more C2-related domains.