Credential theft is once again being distributed through cracked game installers, but the most recent trend adds an odd twist: the malicious code conceals itself behind a Ren'Py game launcher This article explores hijackloader renengine. . Now known as RenEngine, the loader silently sets up the subsequent attack chain while arriving with game repacks and mods that appear and even function normally.

With an estimated 400,000 victims worldwide, the campaign has been going on since at least April 2025. According to the telemetry the researchers examined, there are roughly 5,000 new hits every day, with Brazil, the US, and India having the highest concentrations.

This scale is important because the initial lure is difficult to stop with patching alone because it depends on social trust within piracy communities rather than a software vulnerability. After identifying malicious logic embedded in what appeared to be a genuine Ren'Py-based launcher, Cyderes researchers took note of the malware. They also examined a new version of HijackLoader that includes additional anti-analysis modules, such as checks for GPUs, hypervisor names, and VM-linked MAC addresses, in the same cases.

HijackLoader and RenEngine work together to create a dual-loader configuration that enables operators to rapidly switch payloads when defenses evolve. When a user runs the pirated installer, RenEngine decrypts it and starts the second step.

Overview of the attack (Source: Cyderes) ACR Stealer is the last payload seen in this chain after HijackLoader is introduced via DLL side-loading and module stomping. ACR Stealer is designed to gather information from crypto wallets, browser passwords, cookies, and other system components, then transmit it to the infrastructure of the attacker. Other thieves, like Vidar, have also been delivered by some chains.

The Ren'Py infection mechanism starts in the game folder, where Instaler.exe, a legitimate Ren'Py launcher, is misused to execute an archived script.rpa. The build removes and retains only plain.rpy files.rpyc, making scans less visible.

Zip-dropped files and directories (Source: Cyderes) Before executing the subsequent executable, RenEngine reads a local.key file, Base64-decodes it into JSON, and then XOR-decrypts an embedded archive using the password value. Configuring the RenEngine loader (Source: Cyderes) If the loader thinks it is operating in a virtual machine, it scores the environment and silently exits when sandbox checks are enabled. As a precaution, block pirated installers and mods whenever you can.

Keep an eye out for aggressive VM checks, Base64/XOR staging, and Ren'Py launchers unpacking RPA content. These should be correlated with suspicious DLL side-loading and unexpected credential theft traffic across endpoints today. Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.