We disclose new details about campaigns involving RenEngine and HijackLoader malware. Since March 2025, attackers have been distributing the Lumma stealer in a complex chain of infections, and in February 2026, ongoing attacks using ACR Stealer became known.
securelist.com
RenEngine is a sophisticated malware loader distributed primarily via pirated games and software, posing significant cybersecurity risks. First detected by Kaspersky solutions in March 2025, RenEngine has since been linked to a widespread campaign that uses game piracy and cracked software as bait to infect victims worldwide. The malware notably delivers payloads such as the Lumma stealer and ACR Stealer, both known trojan stealers aimed at harvesting sensitive user data.
Recommendations for Protection
Avoid downloading pirated games or software from untrusted sources, as these archives often lack standardized integrity checks and may harbor malware.
Use specialized security solutions like Kaspersky Premium with Behavior Detection to identify malicious activity even in modified or unknown malware variants.
Employ modern antivirus technologies capable of detecting known stealers like Lumma, ACR, and Vidar, which are used in this campaign.
Gamers and software users should install software only from trusted and official platforms to minimize infection risk.
