Malware Hidden in Pirated Games Infects 400,000 Devices

Divergent said:
Germany has the most aggressive anti-piracy legal enforcement in the Western world.
Click to expand...
So it is not the good bandwidth or the valuable IPs in USA as you mentioned; they pirate in USA too.
 
This article is dumb and clickbaity, trying to scare people. “Which has been hiding inside cracked games and modified game installers for franchises including Far Cry, Need for Speed, FIFA, and Assassin’s Creed.” No. You can literally see from the screenshots in the article that the “download” flow goes through a sketchy redirect/funnel page and ends in a passworded “setup” zip. That’s either the classic fake download button trap, or the link itself is just serving the malware. The first option is insanely common on these sites.

At no point is anyone downloading the actual game, like “FIFA 21 (35 GB),” installing it, and then getting infected because they ran the crack or launched the game. That’s not what’s shown here. The infection is coming from running some random “Download Setup” payload you got after being bounced through ads/redirects.

So this is mainly a site/redirect/fake-button problem, not “cracked games are infected".
 
  • Like
Reactions: T-Rex and Khushal
likeastar20 said:
This article is dumb and clickbaity, trying to scare people. “Which has been hiding inside cracked games and modified game installers for franchises including Far Cry, Need for Speed, FIFA, and Assassin’s Creed.” No. You can literally see from the screenshots in the article that the “download” flow goes through a sketchy redirect/funnel page and ends in a passworded “setup” zip. That’s either the classic fake download button trap, or the link itself is just serving the malware. The first option is insanely common on these sites.

At no point is anyone downloading the actual game, like “FIFA 21 (35 GB),” installing it, and then getting infected because they ran the crack or launched the game. That’s not what’s shown here. The infection is coming from running some random “Download Setup” payload you got after being bounced through ads/redirects.

So this is mainly a site/redirect/fake-button problem, not “cracked games are infected".
Click to expand...
You are effectively confusing the delivery mechanism with the actual payload, which is a classic error in threat analysis. You 'diagnosed' that the site uses redirects and fake buttons, congratulations, that is standard behavior for nearly all pirate sites and is simply the marketing layer. The reason Cyderes issued a global report isn't because of annoying pop-ups, it's because of what happens after the file is on your disk. You are dismissing this as a 'fake button problem,' but the technical reality is a Ren'Py Engine modification problem. Generic fake buttons almost always drop tiny, generic loaders (2MB .NET/C++ stubs) to save bandwidth. This campaign, however, bundles a full Ren'Py visual novel engine, which is a massive file structure. Attackers wouldn't bundle a complex engine just for a random drive-by redirect; they use it to create a convincing 'Setup' or 'Launcher' UI that looks like a legitimate pirate installer.

Arguing that 'FIFA doesn't run on Ren'Py, so the game isn't infected' is a distinction without a difference. If a user downloads a 50GB torrent labeled 'FIFA 21' and the Setup.exe inside that package is the RenEngine malware, then the download is infected. It does not matter if the malware is injected into the actual FIFA.exe (Frostbite engine) or the Installer.exe (Ren'Py engine); the result is identical. Regarding your point on passworded zips, in the piracy scene, these are not 'sketchy' indicators but industry standards for evading DMCA bots and AV scans. Experienced pirates trust them more. The attackers leveraged this trust and a sophisticated Ren'Py wrapper to bypass initial suspicion. You are staring at the packaging (the redirects) and claiming the bomb (the hex code baked into the engine) doesn't exist.
 
Parkinsond said:
So it is not the good bandwidth or the valuable IPs in USA as you mentioned; they pirate in USA too.
Click to expand...
You are creating a contradiction where none exists by confusing the prerequisite with the incentive. The fact that 'they pirate in the USA too' is not a counter-argument to my point about bandwidth or IP value; it is the foundational requirement that makes those factors relevant. My argument is that the US is a unique Top 3 target because it is the only region where the 'Perfect Storm' intersects: High Piracy Demand (Recklessness) meets High Bandwidth (Capability) and High Asset Value (Incentive).

In Germany, you have High Bandwidth and Wealth, but the 'Recklessness' is missing due to aggressive legal fines, so the infection rate is low. In India, you have High Piracy, but lower Asset Value and Bandwidth constraints limit the yield. The US is targeted specifically because it combines the reckless piracy of the developing world with the premium infrastructure and asset prices of the Western world. You are treating these factors as opposing theories, but the reality is that US piracy is simply the fuel that allows the high-bandwidth/high-value infection engine to run.
 
On that note, I am done bridging the comprehension gap. The technical analysis, attack vectors, and source telemetry have been detailed extensively throughout this thread. The answers are there; it is now on you to read them.
 
  • Like
Reactions: Andy Ful
Divergent said:
You are effectively confusing the delivery mechanism with the actual payload, which is a classic error in threat analysis. You 'diagnosed' that the site uses redirects and fake buttons, congratulations, that is standard behavior for nearly all pirate sites and is simply the marketing layer. The reason Cyderes issued a global report isn't because of annoying pop-ups, it's because of what happens after the file is on your disk. You are dismissing this as a 'fake button problem,' but the technical reality is a Ren'Py Engine modification problem. Generic fake buttons almost always drop tiny, generic loaders (2MB .NET/C++ stubs) to save bandwidth. This campaign, however, bundles a full Ren'Py visual novel engine, which is a massive file structure. Attackers wouldn't bundle a complex engine just for a random drive-by redirect; they use it to create a convincing 'Setup' or 'Launcher' UI that looks like a legitimate pirate installer.

Arguing that 'FIFA doesn't run on Ren'Py, so the game isn't infected' is a distinction without a difference. If a user downloads a 50GB torrent labeled 'FIFA 21' and the Setup.exe inside that package is the RenEngine malware, then the download is infected. It does not matter if the malware is injected into the actual FIFA.exe (Frostbite engine) or the Installer.exe (Ren'Py engine); the result is identical. Regarding your point on passworded zips, in the piracy scene, these are not 'sketchy' indicators but industry standards for evading DMCA bots and AV scans. Experienced pirates trust them more. The attackers leveraged this trust and a sophisticated Ren'Py wrapper to bypass initial suspicion. You are staring at the packaging (the redirects) and claiming the bomb (the hex code baked into the engine) doesn't exist.
Click to expand...
No, the Cyderes report's own diagram says "Fake Game Installer - ZIP." Their own attack chain walkthrough: click download link on repack page -> land on go[.]zovo[.]ink -> click "Download Setup" -> redirect to MediaFire -> download a zip. That zip is the malware. It's not inside a torrent. It's not bundled with a real game. It's a separate file you get tricked into downloading instead of the game.

Your "50GB torrent with malicious Setup.exe" scenario doesn't exist anywhere in the report. You made it up. Show me where Cyderes says the actual torrent files are compromised. You can't, because they don't.

I'm saying the article is wrong about HOW it reaches people. It's not "hidden inside cracked games." It's a fake installer served through a redirect that has nothing to do with the actual game files. The repack pages literally warn you not to download from MediaFire, which is exactly where this malware comes from.
 
  • Like
Reactions: T-Rex
likeastar20 said:
No, the Cyderes report's own diagram says "Fake Game Installer - ZIP." Their own attack chain walkthrough: click download link on repack page -> land on go[.]zovo[.]ink -> click "Download Setup" -> redirect to MediaFire -> download a zip. That zip is the malware. It's not inside a torrent. It's not bundled with a real game. It's a separate file you get tricked into downloading instead of the game.

Your "50GB torrent with malicious Setup.exe" scenario doesn't exist anywhere in the report. You made it up. Show me where Cyderes says the actual torrent files are compromised. You can't, because they don't.

I'm saying the article is wrong about HOW it reaches people. It's not "hidden inside cracked games." It's a fake installer served through a redirect that has nothing to do with the actual game files. The repack pages literally warn you not to download from MediaFire, which is exactly where this malware comes from.
Click to expand...
Fair play on the MediaFire link, but you are missing the technical reason why I characterized this as a 'repack', and it wasn't a guess. Standard 'fake button' malware is typically a tiny 2MB stub to save bandwidth. This campaign, however, explicitly bundles the full Ren'Py Runtime, including the Python environment and libraries. You do not wrap a generic virus in a massive Game Engine unless you are simulating a Game Installer. My assessment was based on the payload structure, which is engineered to look and behave exactly like a cracked game setup. The fact that they deliver this heavy 'RenEngine' payload via a decoy zip instead of a full torrent doesn't make the article 'wrong'; it just means the social engineering is happening at the Ad Layer rather than the Tracker Layer.

Your argument that 'repack pages warn you not to use MediaFire' is survivor bias that ignores the data. If those warnings worked, there wouldn't be 400,000 victims. The reason they exist, and the reason the US is the #2 victim globally despite your 'small file' proof, is Ad-Tech Targeting. Malvertising networks operate on Real-Time Bidding (RTB). Attackers pay significantly higher CPMs to serve these specific 'RenEngine' traps to US IP addresses because a US residential proxy is worth 10x more than one from a low-income region. You proved it wasn't a 'Bandwidth Filter,' but in doing so, you just proved it is an 'Ad-Tech Filter.' The US is being headhunted by the algorithm specifically because the attackers are bidding on American traffic. The delivery method (MediaFire) is just the mechanism; the Targeting is why the stats look the way they do.
 
Victor M said:
Rich people are cheap. They know the value of money and do not want to waste it on games. So a freebie comes along and they grab it.
Then it depends on the game itself. Most of us recognize the titles - even among non-gamers, so it shows that it is popular here.
Click to expand...
Rich people buy what they want when they want to.

The only rich people what are cheap are those with mental issues about money.

It is proven that being cheap does not create wealth. Living frugally is not the same as being compulsively cheap.

The majority of the people that feed 90% of the cracks and software piracy are from the 2nd and 3rd world.
 
bazang said:
The majority of the people that feed 90% of the cracks and software piracy are from the 2nd and 3rd world.
Click to expand...
Capture.JPG
Capture2.JPG
 
One has to be cautious with such statistics. The presented map does not show the percentage of pirated software among all software used in the country. I asked ChatGPT:

1770894769242.png
 
  • +Reputation
  • Like
Reactions: simmerskool and Parkinsond
Another statistic from 2024:
en.shiftdelete.net

Worldwide Software Piracy Rates: A Global Overview

Explore the current trends in Worldwide Software Piracy Rates and learn about the financial impact on the tech industry
en.shiftdelete.net en.shiftdelete.net

Regional Breakdown of Worldwide Software Piracy Rates​

  1. Asia-Pacific: This region has the highest piracy rates, averaging around 60%. Countries like China (66%) and Vietnam (70%) face significant challenges due to widespread use of unlicensed software in businesses and homes. India has shown improvement, dropping to 56%, thanks to increased cloud-based software adoption and enforcement efforts.
  2. Eastern Europe: Piracy rates here average 55%. Nations like Russia (62%) and Ukraine (65%) struggle with enforcement, though EU integration has pushed countries like Poland (below 50%) to strengthen anti-piracy measures.
  3. Latin America: Rates stand at about 50%, with countries like Venezuela (68%) and Paraguay (65%) leading due to economic instability and lax regulations. Brazil and Mexico, at around 45%, have made strides through public awareness campaigns.
  4. Middle East and Africa: Piracy averages 57%. In Africa, Nigeria (70%) and Algeria (65%) face high rates, driven by cost barriers. The Middle East sees variation, with the UAE (30%) benefiting from stricter laws, while others lag.
  5. North America: The U.S. and Canada report the lowest rates, around 15-17%. Strong legal frameworks and widespread use of subscription-based software like SaaS contribute. However, small businesses and individual users still account for notable piracy.
  6. Western Europe: Rates are similarly low, around 20%. Countries like Germany (18%) and the UK (19%) benefit from robust enforcement, though southern nations like Greece (35%) face higher rates.

As we can see, the statistics from my previous post (ChatGPT) can differ greatly for some countries (like Germany). This follows from different data sources. The ChatGPT statistics were calculated with a warning:
Modern software delivery (SaaS, cloud, subscription) makes pure “percentage installed software unlicensed” harder to measure, so industry reports rely on usage telemetry and compliance signals instead of the older BSA style statistics.
Click to expand...

The statistics from this post is more accurate.
 
Last edited:
  • +Reputation
  • Like
Reactions: simmerskool and Parkinsond
Andy Ful said:
Another statistics from 2024:
en.shiftdelete.net

Worldwide Software Piracy Rates: A Global Overview

Explore the current trends in Worldwide Software Piracy Rates and learn about the financial impact on the tech industry
en.shiftdelete.net en.shiftdelete.net

Regional Breakdown of Worldwide Software Piracy Rates​

  1. Asia-Pacific: This region has the highest piracy rates, averaging around 60%. Countries like China (66%) and Vietnam (70%) face significant challenges due to widespread use of unlicensed software in businesses and homes. India has shown improvement, dropping to 56%, thanks to increased cloud-based software adoption and enforcement efforts.
  2. Eastern Europe: Piracy rates here average 55%. Nations like Russia (62%) and Ukraine (65%) struggle with enforcement, though EU integration has pushed countries like Poland (below 50%) to strengthen anti-piracy measures.
  3. Latin America: Rates stand at about 50%, with countries like Venezuela (68%) and Paraguay (65%) leading due to economic instability and lax regulations. Brazil and Mexico, at around 45%, have made strides through public awareness campaigns.
  4. Middle East and Africa: Piracy averages 57%. In Africa, Nigeria (70%) and Algeria (65%) face high rates, driven by cost barriers. The Middle East sees variation, with the UAE (30%) benefiting from stricter laws, while others lag.
  5. North America: The U.S. and Canada report the lowest rates, around 15-17%. Strong legal frameworks and widespread use of subscription-based software like SaaS contribute. However, small businesses and individual users still account for notable piracy.
  6. Western Europe: Rates are similarly low, around 20%. Countries like Germany (18%) and the UK (19%) benefit from robust enforcement, though southern nations like Greece (35%) face higher rates.
Click to expand...
This looks more logic; Western Europe is the last in rank.
The previous one shows France, Germany, and Italy at the 12th, 13th, and 14th ranks; that is why I prefer valid sources that AI-generated stats.
 
Andy Ful said:
Another statistic from 2024:
en.shiftdelete.net

Worldwide Software Piracy Rates: A Global Overview

Explore the current trends in Worldwide Software Piracy Rates and learn about the financial impact on the tech industry
en.shiftdelete.net en.shiftdelete.net

Regional Breakdown of Worldwide Software Piracy Rates​

  1. Asia-Pacific: This region has the highest piracy rates, averaging around 60%. Countries like China (66%) and Vietnam (70%) face significant challenges due to widespread use of unlicensed software in businesses and homes. India has shown improvement, dropping to 56%, thanks to increased cloud-based software adoption and enforcement efforts.
  2. Eastern Europe: Piracy rates here average 55%. Nations like Russia (62%) and Ukraine (65%) struggle with enforcement, though EU integration has pushed countries like Poland (below 50%) to strengthen anti-piracy measures.
  3. Latin America: Rates stand at about 50%, with countries like Venezuela (68%) and Paraguay (65%) leading due to economic instability and lax regulations. Brazil and Mexico, at around 45%, have made strides through public awareness campaigns.
  4. Middle East and Africa: Piracy averages 57%. In Africa, Nigeria (70%) and Algeria (65%) face high rates, driven by cost barriers. The Middle East sees variation, with the UAE (30%) benefiting from stricter laws, while others lag.
  5. North America: The U.S. and Canada report the lowest rates, around 15-17%. Strong legal frameworks and widespread use of subscription-based software like SaaS contribute. However, small businesses and individual users still account for notable piracy.
  6. Western Europe: Rates are similarly low, around 20%. Countries like Germany (18%) and the UK (19%) benefit from robust enforcement, though southern nations like Greece (35%) face higher rates.

As we can see, the statistics from my previous post (ChatGPT) can differ greatly for some countries (like Germany). This follows from different data sources. The ChatGPT statistics were calculated with a warning:


The statistics from this post is more accurate.
Click to expand...
The statistics presented in your text (from the ShiftDelete file) are not from 2024 or 2025. They are 8-year-old data lifted directly from the 2018 BSA Global Software Survey (which analyzed 2017 data). While the ShiftDelete article is dated April 2025, it repackages this old data as current. There has been no major global study releasing precise "installation rates" (e.g., 66%, 62%) for every country since 2018. The most current data (Revenera 2025, MUSO 2024) focuses on "commercial value" and "piracy site visits" rather than installation percentages.

Verified with OSINT.

Here is a current list.

www.revenera.com

Software Piracy 2025 Stat Watch | Revenera Blog

2026 software piracy and license compliance statistics and Top 20 Software License Misuse and Piracy Hotspots (China, Russia, India, USA, and more).
www.revenera.com www.revenera.com
 
  • Like
Reactions: simmerskool
You must log in or register to reply here.

You may also like...