Security researchers say the Windows-based RenEngine loader campaign has reached tens of thousands of users in the United States, with telemetry showing 31,317 US users reached and more than 400,000 globally. The operation spreads mainly through cracked game installers and mod packs, and the payload chain ends in credential-stealing malware.
According to the Howler Cell team at Cyderes, the campaign has been active since at least April 2025 and remains ongoing. Their analysis says telemetry tracking was added to the loader on October 14, 2025, and the data shows roughly 400,000 global users reached, with about 5,000 new telemetry hits per day on average. The same telemetry table lists the United States as the second-highest country by users reached. For details, see the Cyderes report.
The attack chain starts with a repackaged Ren’Py game launcher that looks legitimate and runs the game while executing hidden code. RenEngine then decrypts and hands off to a second-stage loader called HijackLoader, which uses techniques like DLL side-loading and process doppelgangging before delivering the final stealer payload, typically ACR Stealer. That payload is designed to harvest browser credentials, cookies, crypto wallets, and other sensitive data.
SOC Prime describes the campaign as a dual-stage loader chain built for flexibility, with HijackLoader capable of staging dozens of helper modules. The distribution still relies on classic user behavior: piracy ecosystems, fake repacks, and trusted-looking mod sites.
RenEngine is not just another dropper. It is a delivery system for stealers, which puts it in the same risk class as other infostealer campaigns and common trojan delivery tactics. The telemetry scale suggests a persistent, industrialized operation, and the US footprint shows it is not confined to a single region.
Сracked games and mod packs remain one of the most reliable malware delivery channels. If a file claims to be a pre-activated installer, assume it is unsafe. For defenders, Cyderes recommends blocking known piracy distribution domains and restricting unsigned installer execution in user-writable locations, which directly targets the RenEngine delivery path.
