A new strain of Windows-based malware has been circulating through pirated PC games and may have infected over 400,000 devices.
Researchers at cybersecurity vendor Cyderes are warning about the threat, which has been hiding inside cracked games and modified game installers for franchises including Far Cry, Need for Speed, FIFA, and Assassin’s Creed.
The malware has been dubbed “RenEngine loader” because some of the malicious code has been embedded inside a legitimate Ren’Py launcher, an engine used to run visual novel games. “While these cracked games appear functional, they silently deliver embedded malware alongside the playable content,” the researchers wrote.
The malware has been around since at least last April and remains active. Cyderes also uncovered evidence that the threat has infected over 400,000 victims globally because the malware was updated to include telemetry tracking data back in October. “The telemetry URL is embedded in the malware and can be reached whenever the malicious RenEngine loader executes,” the researchers added.
The telemetry tracker shows the malware is usually logging about 4,000 to 10,000 visitors per day, with the highest concentration of victims observed in India, the United States, and Brazil, the company’s report adds.
Cyderes points to one site, “dodi-repacks[.]site,” for hosting the malware-laden game downloads. The domain has been previously flagged in other malware campaigns.
The attack also leverages the Ren’Py launcher to archive the pirated game files. Executing the launcher decompresses the game files while secretly kicking off the malware’s installation. Cyderes spotted the RenEngine loader ultimately trying to deliver a Windows-based information stealer called ARC to harvest sensitive data from victim PCs, including “saved browser passwords, cookies, cryptocurrency wallets, and autofill information, along with system details and clipboard contents.”
“In other similar scenarios, we observed different payloads such as Rhadamanthys stealer, Async RAT, and XWorm delivered via RenEngine Loader,” which can also steal passwords or enable a hacker to remote hijack the PC, Cyderes warned.
Except for Avast, AVG, and Cynet, it appears that most antivirus engines currently don’t recognize the initial stage of the malware as a threat, according to Google’s malware-checking service VirusTotal. Affected users can consider using Windows’s System Restore or reinstalling the OS as a nuclear option if they suspect their PC contains malware.
About Our Expert
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
-
Report: Trump Mobile Execs Confirm T1 Phone Won’t Be Made in America
-
Man Pleads Guilty to Hacking Nearly 600 Snapchat Accounts to Steal Nude Images
-
EU: TikTok Is Addictive, Might Need to Change Its ‘Basic Design’
-
Windscribe: Law Enforcement Seized One of Our VPN Servers
-
Razer Is Selling Its Revamped Boomslang Gaming Mouse for How Much?!
-
More from Michael Kan
