A Windows-focused malware operation spreading through pirated PC games has potentially compromised more than 400,000 devices worldwide, according to research released by Cyderes. The company identified the threat as “RenEngine loader” and reported that roughly 30,000 affected users are located in the United States alone.
Investigators found the malicious code embedded inside cracked and repackaged versions of popular game franchises, including Far Cry, Need for Speed, FIFA, and Assassin’s Creed. The infected installers appear to function normally, allowing users to download and play the games. However, while the visible game content runs as expected, concealed code executes in parallel without the user’s awareness.
Researchers traced part of the operation to a legitimate launcher built on Ren'Py, an engine commonly used for visual novel-style games. The attackers embedded harmful components within this launcher framework. When executed, the launcher decompresses archived game files as intended, but at the same time initiates the hidden malware routine.
According to Cyderes, the campaign has been active since at least April of last year and remains ongoing. In October, the operators modified the malware to include an embedded telemetry URL. Each time the RenEngine loader runs, it connects to this address, allowing the attackers to log activity. Analysis of that telemetry endpoint enabled researchers to estimate overall infection levels, with the system recording between 4,000 and 10,000 visits per day.
Telemetry data indicates that the largest concentration of victims is located in India, the United States, and Brazil. The US accounts for approximately 30,000 of the infected systems identified through this tracking mechanism.
The loader’s primary function is to deliver additional malicious software onto compromised machines. In multiple cases, researchers observed it deploying a Windows-based information stealer known as ARC. This malware is designed to extract stored browser passwords, session cookies, cryptocurrency wallet information, autofill entries, clipboard data, and system configuration details.
Cyderes also reported observing alternative payloads delivered through the same loader infrastructure, including Rhadamanthys stealer, Async RAT, and XWorm. These programs are capable of credential theft and, in some cases, remote system control, enabling attackers to monitor activity or manipulate infected devices.
The investigation identified one distribution source, dodi-repacks[.]site, as hosting downloads containing the embedded malware. The domain has previously been associated with other malicious distribution activity.
Detection remains limited at the initial infection stage. Public scan results from Google’s VirusTotal platform indicate that, aside from Avast, AVG, and Cynet, most antivirus engines currently do not flag the loader component as malicious. This detection gap increases the likelihood that users may remain unaware of compromise.
Users who suspect infection are advised to run updated security scans immediately. If concerns persist, Windows System Restore may help revert the device to a prior clean state. In cases where compromise cannot be confidently removed, a full operating system reinstallation may be necessary.
The findings reinforce a recurring cybersecurity risk: unauthorized software downloads frequently serve as a delivery channel for concealed malware capable of exposing personal data and granting attackers extended access to victim systems.
