Widespread Malware Campaign Uses Pirated PC Games to Deliver "RenEngine" Loader and Infostealers

Pirated PC Games Infect 400,000+ Devices with "RenEngine" Password-Stealing Malware

MEDIUM
June 8, 2026
5m read
MalwarePhishingThreat Actor

Impact Scope

People Affected

400,000+

Industries Affected

Other

Geographic Impact

United States (global)

Related Entities

Other

RenEngineRhadamanthys AsyncRAT Backdoor.XWorm

MITRE ATT&CK Techniques

T1204.002

User Execution: Malicious File

T1036

Masquerading

T1555

Credentials from Password Stores

T1219

Remote Access Software

T1105

Ingress Tool Transfer

Full Report

Executive Summary

A widespread malware distribution campaign is targeting PC gamers, using pirated copies of popular titles to infect systems with a dangerous malware cocktail. Researchers reported on June 8, 2026, that over 400,000 devices worldwide have been compromised. The initial payload is a loader named "RenEngine," which is bundled with cracked installers for games like FIFA, Far Cry, and Assassin's Creed. While the game appears to run normally, RenEngine silently executes in the background, deploying secondary payloads. These have been observed to include the Rhadamanthys infostealer, AsyncRAT, and Backdoor.XWorm, escalating the threat from simple credential theft to full remote system compromise.

Threat Overview

This campaign leverages the high demand for pirated software in the gaming community as its primary distribution vector. Threat actors package the RenEngine loader with modified installers of AAA game titles and distribute them through torrent sites and other unofficial channels. Users who download and run these installers unknowingly infect their own systems.

The initial infection is stealthy. The RenEngine loader is named after its use of a legitimate Ren'Py game engine launcher, which helps it evade basic detection. When the user launches the pirated game, the malicious code executes, establishing a foothold on the system and preparing to download further malware.

Technical Analysis

The attack chain is a classic example of malware bundling and dropper functionality:

  1. Initial Access: The user voluntarily downloads and executes a malicious game installer from an untrusted source. This falls under T1204.002 - User Execution: Malicious File.
  2. Execution & Defense Evasion: The installer drops both the legitimate game files and the malicious RenEngine loader. The loader is disguised as a legitimate component (the Ren'Py launcher), a form of masquerading (T1036 - Masquerading). It executes alongside the game, making its activity less suspicious.
  3. Command and Control: The RenEngine loader likely communicates with a C2 server to receive instructions and download the secondary payloads.
  4. Impact: The loader then deploys more potent malware strains:
    • Rhadamanthys: An information stealer designed to harvest credentials from browsers, cryptocurrency wallets, and other applications (T1555 - Credentials from Password Stores).
    • AsyncRAT: A Remote Access Trojan that gives the attacker full control over the victim's machine, enabling activities like keylogging, file manipulation, and webcam spying (T1219 - Remote Access Software).
    • Backdoor.XWorm: Another backdoor providing persistent remote access.

This multi-stage deployment allows the attackers to monetize the infection in various ways, from selling stolen credentials to using the compromised machine in a botnet.

Impact Assessment

With an estimated 400,000 infections globally (30,000 in the U.S.), the scale of this campaign is significant. The impact on individual victims can be severe:

  • Financial Loss: Theft of banking credentials, cryptocurrency, and other financial information.
  • Identity Theft: Compromise of personal accounts and sensitive data.
  • Privacy Invasion: The RAT capabilities allow attackers to spy on victims through their webcam and microphone and access all their personal files.
  • Further Compromise: Infected machines can be used to attack other systems on the victim's network or to participate in DDoS attacks.

The campaign highlights the persistent and high-risk nature of using pirated software. The promise of a free game often comes at the cost of total system and data compromise.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams and individuals can hunt for signs of this malware:

Type
file_path
Value
%AppData%\RenEngine\
Description
A potential installation directory for the malware, based on its name.
Context
File system analysis, EDR.
Type
process_name
Value
python.exe, pythonw.exe
Description
The Ren'Py engine is based on Python. Look for unexpected Python processes running, especially those not associated with a known application.
Context
Task Manager, Process Explorer, EDR.
Type
network_traffic_pattern
Value
Unusual DNS queries from game processes
Description
Monitor for game executables making network connections to non-game-related domains.
Context
DNS logs, Netflow, EDR network monitoring.
Type
file_name
Value
unins000.exe
Description
Many pirated game installers use common packer names. Look for these being executed from temporary directories.
Context
EDR, process creation logs.

Detection & Response

  • Antivirus/EDR: Ensure endpoint security solutions are up to date. They should be able to detect and block known loaders and stealers like Rhadamanthys and AsyncRAT based on signatures and behavior. D3FEND technique File Content Rules (D3-FCR) is relevant here.
  • Log Analysis: Monitor for processes being spawned from unusual locations, such as temporary download folders or AppData directories. Correlate process execution with network connections to suspicious domains.
  • User Education: The most effective defense is prevention. Educate users about the dangers of downloading and running software from untrusted sources.

Mitigation

  • Do Not Use Pirated Software: The simplest and most effective mitigation is to only obtain software from legitimate, official sources. The cost savings of pirated software are not worth the risk of total system compromise.
  • Application Control: Use application control solutions, such as Windows Defender Application Control, to restrict the execution of unauthorized applications. This can prevent the initial loader from running. This aligns with M1038 - Execution Prevention.
  • Principle of Least Privilege: Run user accounts without administrative privileges. This can prevent malware from making system-level changes and embedding itself for persistence.
  • Keep Systems Patched: While not a direct defense against this vector, keeping the operating system and applications patched reduces the overall attack surface that secondary payloads might try to exploit.

Timeline of Events

1
June 8, 2026
Security researchers report on the 'RenEngine' malware campaign.
2
June 8, 2026
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

The primary mitigation is user education on the dangers of downloading and installing pirated software from untrusted sources.

Execution Prevention

M1038enterprise

Use application allowlisting or execution prevention policies to block the execution of unauthorized installers and executables.

Antivirus/Antimalware

M1049enterprise

A modern antivirus or EDR solution can detect and block the known secondary payloads like Rhadamanthys and AsyncRAT.

D3FEND Defensive Countermeasures

Executable Allowlisting

D3-EALMaps to MITREM1038
D3FEND

The most robust technical countermeasure against this type of threat is executable allowlisting. By configuring systems to only run executables that are signed by trusted publishers or have known, good hashes, the initial malicious installer from the pirated game would be blocked from running. While implementing a full allowlisting policy can be complex, modern tools like Windows Defender Application Control can be deployed in a more manageable way. This fundamentally prevents the attack chain from starting, as the user cannot execute the initial malicious file, regardless of how convincing the lure is.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

Security teams should use an Endpoint Detection and Response (EDR) tool to perform behavioral analysis of running processes. For this specific campaign, a rule should be created to alert when a process associated with a game (e.g., fifa26.exe) spawns an unexpected child process, such as python.exe or powershell.exe, or makes network connections to domains not associated with the game publisher. This focus on anomalous behavior allows for detection even if the malware's signatures are unknown. It targets the point where the disguised RenEngine loader attempts to execute its malicious functions, providing a critical detection opportunity.

Outbound Traffic Filtering

D3-OTFMaps to MITREM1037
D3FEND

On endpoints, especially for home users or in less-managed environments, a host-based firewall with strict outbound filtering rules can be highly effective. By default, applications should not be allowed to make outbound network connections. When a user runs the pirated game, the firewall would prompt for permission for the game executable to connect to the internet. While the user might allow the main game executable, subsequent prompts from unexpected processes like python.exe (the hidden loader) trying to connect to a C2 server would be highly suspicious. This gives the user a chance to block the malicious communication and investigate further.

Timeline of Events

1
June 8, 2026

Security researchers report on the 'RenEngine' malware campaign.

Sources & References

Pirated PC games are delivering password-stealing malware
Malwarebytes (malwarebytes.com) June 8, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RenEngineMalwareRhadamanthysAsyncRATGamingPirated SoftwareInfostealer

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.