Kaspersky Threat Research, a Cybersecurity firm, has uncovered a growing malware threat known as RenEngine, a malicious software loader being spread through pirated games and cracked software downloads.

Researchers first detected RenEngine samples as early as March 2025, with Kaspersky’s security products already defending users at that time, the firm said.

Initially tied to pirated game downloads, investigators have now found dozens of websites hosting the malware under the guise of cracked productivity software, including graphics editing tools such as CorelDRAW.

This broadens the scope of the threat beyond just the gaming community to anyone seeking unlicensed applications online, and the analysis revealed that the campaigns observed so far are opportunistic rather than targeted, with incidents recorded in countries including Russia, Brazil, Turkey, Spain and Germany.

How the malware works

The RenEngine threat hides within installers for supposedly ‘free’ games or software. When users run these files, a fake loading screen is shown while malicious code executes quietly in the background.

The embedded scripts perform detection checks, including sandbox evasion, and decrypt a stage-two payload that begins a multi-phase infection using a tool known as HijackLoader.

Related News

In an earlier activity, RenEngine delivered the Lumma stealer malware to compromised machines. Recent campaigns have shifted toward deploying the ACR Stealer, and analysts also reported instances of the Vidar Stealer being used in some infection chains.

Kaspersky’s products identify the loader as Trojan.Python.Agent.nb and HEUR:Trojan.Python.Agent.gen, while HijackLoader is flagged under names such as Trojan.Win32.Penguish and Trojan.Win32.DllHijacker.

Expert advice

Pavel Sinenko, a lead malware analyst at Kaspersky, emphasised that the technique isn’t limited to games and that attackers are exploiting unlicensed software distribution to reach a wider range of victims.

Users are urged to download software only from official sources, maintain updated security protections, and remain cautious of offers that seem ‘too good to be true.’

As the malware landscape continues to evolve, the RenEngine case highlights the risks associated with pirated content and the importance of robust cybersecurity practices across both personal and professional environments.

More from our Technology Column
Read Next
Cavista Technologies

Cavista Technologies crowns LASU’s ByteBros on hackathon’s tech solution

By Folake Balogun • February 24, 2026

Folake Balogun is a tech journalist covering Africa’s fast-growing digital economy with a strong focus on incisive analysis of startup trends, venture capital, and fintech innovation, while also exploring emerging technologies such as artificial intelligence and the future of connectivity by highlighting their economic and social impact.

Join BusinessDay whatsapp Channel, to stay up to date

Open In Whatsapp