We disclose new details about campaigns involving RenEngine and HijackLoader malware. Since March 2025, attackers have been distributing the Lumma stealer in a complex chain of infections, and in February 2026, ongoing attacks using ACR Stealer became known.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Kaspersky researchers detail RenEngine, a malware loader distributed since March 2025 through pirated games and software. The loader uses modified Ren'Py game launchers to deploy HijackLoader, which then delivers info-stealing malware like Lumma and ACR Stealer. The attack chain involves sophisticated techniques including sandbox evasion, DLL hijacking, and multi-stage payload injection. Attacks are widespread across Russia, Brazil, Turkey, Spain, and Germany, targeting users downloading cracked games and software from malicious websites.

The game is over: when “free” comes at too high a price. What we know about RenEngine