The Other Risk of Piracy

Kaspersky’s threat research team has dissected RenEngine, a malware loader first spotted in March 2025 that’s been hiding in cracked video games and now spreading through pirated commercial software like CorelDRAW. This campaign shows how piracy sites have become prime hunting grounds for cybercriminals targeting users who skip cybersecurity basics for “free” downloads.

How RenEngine Sneaks In

The loader exploits Ren’Py, an open-source engine popular for visual novels and graphical games. Attackers inject malicious code into legitimate installers:

User launches what looks like a normal game or app setup.
A fake loading screen appears while background scripts run silently.
Scripts evade sandboxes, decrypt payloads and kick off multi-stage infections via tools like HijackLoader.

Initially paired with Lumma Stealer, recent waves deliver ACR Stealer and Vidar Stealer to harvest credentials, crypto wallets and personal data.

From Games to Productivity Apps: Wider Net

What began as game cracks has evolved into a broader assault on pirated pro tools:

Graphics editors (CorelDRAW, Photoshop clones)
Office suites and utilities
Dozens of fake download sites mimicking legit torrent hubs

Kaspersky analyst Pavel Sinenko notes: “Attackers aren’t just hitting gamers anymore—they’re using the same technique on cracked productivity software, exploding the victim pool. If a game engine skips resource integrity checks, malware runs the moment you launch it.”

Global Reach, Opportunistic Hits

Incidents span Spain, Russia, Brazil, Turkey, Germany and beyond. The pattern suggests scattershot attacks rather than precision espionage—anyone grabbing pirated software is fair game. Kaspersky detects RenEngine as Trojan.Python.Agent.nb or HEUR:Trojan.Python.Agent.gen.