Malware News Malware Hidden in Pirated Games Infects 400,000 Devices

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,059
14,246
6,069
Content source
https://www.pcmag.com/news/malware-hidden-in-pirated-games-infects-400000-devices?test_uuid=04IpBmWGZleS0I0J3epvMrC&test_variant=A
A new strain of Windows-based malware has been circulating through pirated PC games and may have infected over 400,000 devices.

Researchers at cybersecurity vendor Cyderes are warning about the threat, which has been hiding inside cracked games and modified game installers for franchises including Far Cry, Need for Speed, FIFA, and Assassin’s Creed.

The telemetry tracker shows the malware is usually logging about 4,000 to 10,000 visitors per day, with the highest concentration of victims observed in India 🇮🇳, the United States🇺🇸, and Brazil🇧🇷, the company’s report adds.

The malware has been dubbed “RenEngine loader” because some of the malicious code has been embedded inside a legitimate Ren’Py launcher, an engine used to run visual novel games.
“While these cracked games appear functional, they silently deliver embedded malware alongside the playable content,” the researchers wrote.

www.pcmag.com

Malware Hidden in Pirated Games Infects 400,000 Devices

Security researchers uncover evidence that the Windows-based 'RenEngine loader' malware has infected around 30,000 users in the US alone.
www.pcmag.com www.pcmag.com
Click to expand...
 
  • Like
  • Wow
  • Applause
Reactions: SeriousHoax, Brownie2019, Miraculix and 5 others
Technical Analysis & Remediation

MITRE ATT&CK Mapping

Initial Access
T1189 (Drive-by Compromise)
T1204 (User Execution: Malicious File).

Defense Evasion
T1036 (Masquerading: Hiding inside legitimate Ren'Py engine).

Execution
T1059 (Command and Scripting Interpreter).

Campaign Telemetry

Infection Volume
400,000 devices infected.

Daily Traffic
4,000 to 10,000 visitors accessing the malware distribution points per day.

Geographic Targeting
High concentration in India, United States, and Brazil.

Specific Indicators (Strings/Anchors)

Malware Family
"RenEngine loader".

Carrier Mechanism
"Ren’Py launcher" (modified).

Targeted Software
Cracked installers for "Far Cry, Need for Speed, FIFA, and Assassin’s Creed".

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Critical Note
Do not dismiss this because it involves "games." If an employee installs this on a VPN-connected laptop, the "loader" can drop an InfoStealer (like RedLine or Lumma) to harvest corporate session cookies and passwords.

Phase 1: Identification & Containment

Query Endpoint Detection (EDR)
Hunt for unsigned or modified versions of renpy.exe or executables associated with the listed game franchises running from non-standard paths (e.g., C:\Users\AppData\Local\Temp or Downloads).

Network Isolation
Immediately isolate any device showing traffic to known "warez" or torrent tracker sites.

Audit "Shadow IT"
Scan for unauthorized software installations (Steam, Epic Games, or unmanaged installers) on corporate assets.

Phase 2: Eradication

Reimage
Due to the nature of "loaders" (which can download arbitrary additional payloads), a simple AV scan is insufficient. Re-imaging the machine is the only safe option for enterprise assets.

Credential Reset
Force a reset of all credentials used on the device (AD, Okta, VPN) after the device is isolated.

Phase 3: Recovery

Policy Enforcement
Implement strict AppLocker or WDAC policies to prevent the execution of unapproved binaries (like pirated game installers).

Remediation - THE HOME USER TRACK

Priority 1: Safety

Disconnect
Take the computer offline immediately to stop the loader from downloading secondary malware (ransomware/stealers).

Uninstall
Remove any pirated games or "repacks" recently installed.

Scan
Run a full scan with a reputable non-embedded antivirus (e.g., Malwarebytes, Bitdefender).

Priority 2: Identity Hygiene

Assume Compromise
Loaders often deploy "stealers." Change passwords for email, banking, and social media from a different, clean device.

Session Purge
Log out of all active web sessions (Google, Facebook, Amazon) to invalidate potentially stolen session cookies.

Hardening & References

Baseline
CIS Benchmark for Windows 10/11 (Section 19: Application Control).

Policy
NIST SP 800-53 (CM-7): Least Functionality (Restrict software installation to authorized software only).

Reference
The Cyderes report mentioned in the PCMag article indicates the malware leverages the Ren'Py engine, a tool typically used for visual novels, to mask its activity.

Primary Intelligence Source

Cyderes Howler Cell - RenEngine Loader & HijackLoader Attack Chain

News & Discussion Source

PCMag: Malware Hidden in Pirated Games Infects 400,000 Devices
Click to expand...
 
  • Like
Reactions: Halp2001, Sorrento and stonjean633
stonjean633 said:
Torrent and Cracks got too many unknown files. Too risky and great source for malware distribution
Click to expand...
What is unexplainable for the high prevalence in US, where income is high!
It's expected to find pirated games frequently among users of low-income countries such as India, and here in Egypt.
 
  • Like
Reactions: stonjean633 and Sorrento
Parkinsond said:
What is unexplainable for the high prevalence in US, where income is high!
It's expected to find pirated games frequently among users of low-income countries such as India, and here in Egypt.
Click to expand...
Your confusion stems from the false assumption that software piracy is exclusively a symptom of poverty. The Cyderes report explicitly lists the United States alongside India and Brazil as the regions with the "highest concentration of victims". This prevalence in the US is likely driven by two key factors, the high bandwidth availability required to download massive modern games (often 50GB-100GB) and the high monetization value of American credentials for the attackers.

The malware is hiding in cracked versions of massive titles like "Far Cry, Need for Speed, FIFA, and Assassin’s Creed". These "repacks" are often enormous downloads. Users in low-infrastructure regions (despite low income) may struggle to download 80GB files, whereas US users with gigabit fiber can download them in minutes, increasing the sheer volume of successful infections in the US.
 
  • Like
  • Applause
Reactions: Brownie2019, stonjean633, Halp2001 and 1 other person
Divergent said:
This prevalence in the US is likely driven by two key factors, the high bandwidth availability required to download massive modern games (often 50GB-100GB) and the high monetization value of American credentials for the attackers
Click to expand...
Egypt is ranked number 5 after Russia in the article; we have low bandwidth availability, and most users do not use online banking on PC (on phone may be), to no valuable credentials to target!
 
  • Like
Reactions: stonjean633 and Sorrento
Parkinsond said:
Egypt is ranked number 5 after Russia in the article; we have low bandwidth availability, and most users do not use online banking on PC (on phone may be), to no valuable credentials to target!
Click to expand...
You say Egypt has 'no valuable credentials,' but the malware is the same one infecting the US. Do you think the malware authors wrote special code to ignore Egyptian passwords? No. They are harvesting identities (Facebook, Google, Steam). A verified Facebook account from Egypt is sold for ads/propaganda just like one from anywhere else. The malware doesn't care about your bank, it cares about your digital identity, which you definitely have.
 
  • Like
Reactions: stonjean633, Halp2001 and Sorrento
Divergent said:
A verified Facebook account from Egypt is sold for ads/propaganda just like one from anywhere else. The malware doesn't care about your bank, it cares about your digital identity, which you definitely have
Click to expand...
So why is the higher prevalence in US? According to you, it can use any sort of credentials anywhere, regardless of economic status!
 
  • Like
Reactions: stonjean633 and Sorrento
Parkinsond said:
So why is the higher prevalence in US? According to you, it can use any sort of credentials anywhere, regardless of economic status!
Click to expand...
The attackers target the US specifically because American IPs are a high-value commodity, and American internet is fast enough to deliver the payload. It's not about 'online banking'; it's about turning your PC into a premium zombie node.
 
  • Like
Reactions: stonjean633 and Sorrento
Rich people are cheap. They know the value of money and do not want to waste it on games. So a freebie comes along and they grab it.
Then it depends on the game itself. Most of us recognize the titles - even among non-gamers, so it shows that it is popular here.
 
  • Like
Reactions: Sorrento, Brownie2019, Parkinsond and 2 others
The malware "Free Download Files.7z" submitted to VirusTotal (and mentioned in the article) may be incomplete. The initial EXE file ("instaler.exe" embedded in the .7z archive) might have been used in a DLL hijacking (side-loading) attack in the past (the note below is in Dutch):
https://nl.linkedin.com/posts/erikw...-sideloader-activity-7365462306480082944-QdPk

However, the malicious DLL is missing in the "Free Download Files.7z". and it is also missing on VirusTotal (not yet uploaded).
The "instaler.exe" is a standard (benign) launcher for the Ren'Py Visual Novel Engine. The sideloaded DLL had a file name "iviewer.dll"
 
Last edited:
  • Like
  • +Reputation
Reactions: Sorrento, Brownie2019, Khushal and 4 others
Parkinsond said:
I do not.
The criteria for US high prevalence applies also to Germany for example.
Germancy is not on the list of top 10.
Click to expand...
Germany has the most aggressive anti-piracy legal enforcement in the Western world.

In the US, If you torrent a game, your ISP sends you a "Copyright Alert" email. Nothing happens. You ignore it. Result, Reckless Piracy.

In Germany, there is a massive industry of law firms that monitor public torrent swarms. If a German user downloads a game on a public tracker (where this malware lives), they receive a letter demanding €900–€1,500 within weeks.

German pirates are terrified of Public Torrents. They use "Direct Direct" (DDL) sites or encrypted Usenet, which are harder for this specific "dragnet" malware to infiltrate than the open torrent sites used by Americans and Brazilians.
 
  • Like
  • Wow
Reactions: Sorrento, Andy Ful, Wrecker4923 and 1 other person
Andy Ful said:
The malware "Free Download Files.7z" submitted to VirusTotal (and mentioned in the article) may be incomplete. The initial EXE file ("instaler.exe" embedded in the .7z archive) might have been used in a DLL hijacking (side-loading) attack in the past (the note below is in Dutch):
https://nl.linkedin.com/posts/erikw...-sideloader-activity-7365462306480082944-QdPk

However, the malicious DLL is missing in the "Free Download Files.7z". and it is also missing on VirusTotal (not yet uploaded).
The "instaler.exe" is a standard (benign) launcher for the Ren'Py Visual Novel Engine. The sideloaded DLL had a file name "iviewer.dll"
Click to expand...
"You hit the nail on the head regarding DLL Side-Loading. The reason the file looks 'incomplete' is that the 'RenEngine' campaign specifically relies on modifying the legitimate Ren'Py execution flow, effectively using the instaler.exe (or game launcher) as a clean 'trigger' binary. The actual malware isn't embedded in the executable itself but hides within the accompanying DLLs or script files (like the lib or python folders) inside that 7z archive. This creates a detection gap where scanning just the EXE yields a 'Clean' result, but running it alongside the folder contents triggers the infection. This specific side-loading technique is exactly how they amassed 400,000 victims; the 'clean' launcher bypasses initial static AV checks and loads the malware into memory only upon execution.
 
  • Like
Reactions: Sorrento and simmerskool

You may also like...