A new Windows malware campaign hides inside pirated PC games and modified installers for franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed.
Researchers estimate that more than 400,000 devices worldwide have been infected, with around 30,000 users in the US.
The infection method is simple and effective. Users are lured into installing a fully functional free game. While the cracked and repacked game appears to work, the malware installs silently in the background.
The strain is being called “RenEngine loader” and sometimes referred to as Ren’Py because parts of the malicious code are embedded in a legitimate Ren’Py launcher used to run some visual novel games. When the launcher runs, it decompresses the game files and secretly starts the infection chain.
Ren’Py is a legitimate, open-source visual novel engine used by developers to make story-driven games with text, images, sound, and interactive choices. The malware in this case is not Ren’Py itself. Attackers are abusing the engine or its launcher as a delivery method to hide malicious code inside pirated game installs.
In practice, the primary infection vector is software piracy. Victims download cracked games or repacked installers from unofficial sites, then run what looks like a normal game launcher or setup file. In reality, they’re infecting their computer with a malware loader.
At the time of writing, this loader is trying to deliver an infostealer called ARC, which can grab saved browser passwords, cookies, cryptocurrency wallets, autofill data, system details, and clipboard contents.
But we’ve also seen other payloads being dropped, including Rhadamanthys stealer, Async Remote Access Trojan (RAT), and Backdoor.XWorm, which can expand the damage from credential theft to full remote control of the machine. That can mean account takeovers, financial fraud, crypto theft, and deeper compromise of personal or work data.
Worst of all, a user may not realize they are infected until usernames and passwords have been stolen or the machine starts behaving strangely.
How to stay safe
The most important lesson here is that “free” cracked software is often a delivery mechanism for malware, not a bargain. Once a loader like this is on the machine, the real goal is usually to steal credentials or install a secondary payload that is more persistent and more damaging.
Some other general advice to stay safe:
- Don’t download installers from unofficial sources.
- Use real-time, up-to-date anti-malware protection to block loaders.
- Keep your software up to date, especially Microsoft patches and other security-related programs.
If you think your computer is infected and want to make sure, follow the instructions posted here. The amazing volunteers on our forums will help you through the process of cleaning your machine.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.