Cyderes‘ The Howler Cell Threat Research Team has uncovered an active and highly sophisticated stealer campaign that has been operating since at least April 2025 and remains ongoing.
During this investigation, the team identified and named a previously unreported malware family, RenEngine Loader, after discovering malicious logic embedded within what appears to be a legitimate Ren’Py-based game launcher. In parallel, the team analyzed a new variant of HijackLoader used in the same campaign.
This variant introduces several never-before-seen capabilities, including the modules ANTIVMGPU, ANTIVMHYPERVISORNAMES, and ANTIVMMACS. Several attack chains also
incorporated additional stealer families, such as Vidar and ACR.
A defining characteristic of this campaign is its scale and sophistication. It exploits cracked games, illegally modified game installers that allow users to download and play commercial titles without paying. While these cracked games appear functional, they silently deliver embedded malware alongside the playable content.
Compromised game titles observed in this campaign include Far Cry, Need for Speed, FIFA and Assassin’s Creed.
The analysis indicates that more than 400,000 global victims have been impacted, with the
operation continuing to infect over 5,000 new victims per day. The threat actors blend compelling social-engineering techniques with a stealthy, multi-stage execution chain designed to bypass security controls and impede analysis.
By embedding a modular, stealth-focused second-stage loader inside a legitimate Ren’Py launcher, the attackers closely mimic normal application behavior, significantly reducing early detection.
Key characteristics of this advanced, high-impact campaign include:
Operational scale and persistence: Sustained activity since April 2025 reflects mature
operations, repeatable delivery mechanisms, and highly effective victim acquisition.
Blended execution flows: Leveraging a legitimate Ren’Py launcher enables malicious
processes to masquerade as normal application behavior, increasing execution success rates and hindering early detection.
Multi-stage, modular architecture: RenEngine Loader decrypts, stages, and transfers
execution to HijackLoader, enabling rapid tooling evolution and flexible capability
deployment.Defense-evasion by design: RenEngine Loader employs extensive sandbox and environment checks, layered encoding/decoding (Base64 + XOR), and execution of packaged scripts from Ren’Py archives—techniques that reduce static visibility and disrupt automated analysis.Enhanced HijackLoader stealth: HijackLoader uses multiple evasion techniques—including Heaven’s Gate, process hollowing, process doppelgänging, and call-stack spoofing.
In this campaign, it is stealthily deployed through DLL side-loading and module stomping, with process doppelgänging used in the final phase.
High-Level Attack Chain Overview
Initial Access: Victims are enticed into executing cracked or modded game installers
distributed via piracy platforms.
Stage 1 – RenEngine Loader: Embedded within a legitimate Ren’Py launcher, it executes a
malicious Python script packaged as a Ren’Py archive. It then performs environment
validation (including sandbox checks), decodes configuration data, decrypts staged content, and launches the next phase.
Stage 2 – HijackLoader: A newly observed variant with expanded capabilities. It employs DLL side-loading and module stomping to load malicious modules while blending into trusted process flows.
Final Payload – ACR Stealer: The ultimate payload exfiltrates sensitive data—including
browser credentials, cookies, cryptocurrency wallets, and system information—to
attacker-controlled infrastructure.
Bottom Line
This campaign is far from a commodity “grab-and-go” infection chain. It is a high-volume,
long-running, and technically mature operation that combines trusted application execution paths, staged decryption, modular payload delivery, and extensive evasion techniques. The result is an intrusion chain that is difficult to triage, resistant to automated sandboxing, and capable of sustaining large-scale victimization over extended periods.
Victim Analytics
The Hower Cell Threat Research Team traced the origin of the RenEngine Loader campaign to early April 2025, and it remains active to date. Variants observed since early October include an additional function that retrieves the value of the pub field from the configuration and appends it to a GET request sent to analytics tracking.
The OSINT hunt and analysis of victim analytics dumps and logs confirm that telemetry tracking was added to the loader on October 14, 2025. The campaign is still active. The analytics data indicates approximately 400k global distributions reaching the telemetry server (embedded in the malware). Exact victim counts cannot be confirmed due to limited visibility in the available telemetry data.
The data covers daily telemetry from October 2025 through early January 2026 and shows a clear, steady growth pattern over time.
It detected gradual increase starting mid-October; strong and sustained growth from mid-November onward; December shows peak and stable volume across all metrics.
On average, approximately 5,000 new visitors to the telemetry tracker occur globally each day. The highest concentration of victims has been observed in India, the United States, and Brazil.
The telemetry URL is embedded in the malware and can be reached whenever the malicious RenEngine loader executes.
RenEngine Loader: Top 10 Countries of Users Reached
Country Name # of users
India 38,016
The United States 31,317
Brazil 25,220
Russian Federation 22,366
Egypt 19,500
Turkey 18,835
Spain 18,109
Indonesia 15,790
Pakistan 15,426
France 14,100
Attack Overview
Technical Analysis
Initial access occurs when users download pirated game installers from platforms that distribute cracks and game modifications. These installers are advertised as preactivated
or cracked versions of commercial games. Users often trust these files to bypass licensing controls or avoid paying for legitimate software.
In addition to full installers, users frequently download game mods to customize or enhance gameplay. These mods are treated as low risk by users and are often executed without verification.
The Howler Cell Threat Research Team identified a popular game mod and crack distribution site delivering information stealer malware through both installers and mod packages.
The triple-A game titles observed so far include Far Cry, Need for Speed, FIFA and Assassin’s Creed. (The researchers did not identify which versions or platforms were affected).
This delivery method relies on social trust within piracy communities rather than technical
exploitation. That makes it effective against users with limited security awareness and minimal endpoint protections.
Targets attacked
All games distributed via hxxps[://]dodi-repacks[.]site present users with an initial fake “Download Setup” button, which redirects to a MediaFire link hosting the RenEngine Loader. Based on the team’s research, this site began hosting cracked games in 2018.
dodi-repacks is a well‑known game repack distribution website that hosts cracked and repackaged versions of popular PC games, attracting a large global user base due to its frequent updates and wide catalogue. Because of its popularity and high traffic volume, this deceptive redirection mechanism has resulted in a significant number of victims.
The attacker is able to easily rotate game versions with this method, so it is challenging to state a single version. However, the most recent versions of the games are the most typical version seen in the attacks. It is likely that any game on that site may contain the attack, but the ones the firm confirmed and specifically investigated are listed below.
Avatar: Frontiers of Pandora
Assassins Creed
Hogwarts Legacy
Far Cry
Need for Speed
FIFA
RoadCraft
Deathloop: Deluxe Edition
Conclusion
RenEngine Loader marks a significant evolution in loader-based attack chains. Unlike traditional loaders, RenEngine leverages the legitimate Ren’Py visual novel engine to embed malicious scripts within legitimate game launchers, exploiting the engine’s archive packaging feature to evade static detection. This approach demonstrates a creative abuse of gaming frameworks for malware delivery, making RenEngine a novel and stealthy initial-stage loader.
RenEngine’s capabilities extend beyond simple payload delivery. It incorporates, dynamic configuration decoding via Base64 and XOR encryption. It uses advanced sandbox scoring mechanisms to ensure execution only on real user environments.
And it uses telemetry integration for infection tracking, enabling campaign operators to monitor victim distribution globally.
Its role as the first stage in a dual-loader chain (preceding HijackLoader) highlights a growing trend toward modular, multi-layered attack architectures. By combining RenEngine’s stealth and HijackLoader’s extensive module set, threat actors achieve persistence, privilege escalation, and flexible payload deployment.
This discovery underscores the need for behavioural detection strategies focused on:
- Abuse of legitimate frameworks (e.g., Ren’Py).
- Unusual archive formats and embedded Python scripts.
- Sandbox evasion logic and staged decryption routines.