Summary
- The Howler Cell Threat Research Team has uncovered an active and highly advanced stealer campaign that has been operating since at least April 2025 and remains ongoing.
- During this investigation, the team identified and named a previously unreported malware family, RenEngine Loader, after discovering malicious logic embedded within what appears to be a legitimate Ren’Py-based game launcher.
- In parallel, the team analyzed a new variant of HijackLoader used in the same campaign.
- This variant introduces several never-before-seen capabilities, including the modules ANTIVMGPU, ANTIVMHYPERVISORNAMES, and ANTIVMMACS.
- Several attack chains also incorporated additional stealer families, such as Vidar and ACR.
A defining characteristic of this campaign is its scale and sophistication. It exploits cracked games, illegally modified game installers that allow users to download and play commercial titles without paying. While these cracked games appear functional, they silently deliver embedded malware alongside the playable content.
Compromised game titles observed in this campaign include:
-
- Far Cry
- Need for Speed
- FIFA
- Assassin’s Creed
Our analysis indicates that more than 400,000 global victims have been impacted, with the operation continuing to infect over 5,000 new victims per day. The threat actors blend compelling social‑engineering techniques with a stealthy, multi‑stage execution chain designed to bypass security controls and impede analysis. By embedding a modular, stealth‑focused second‑stage loader inside a legitimate Ren’Py launcher, the attackers closely mimic normal application behavior, significantly reducing early detection.
Key characteristics of this advanced, high-impact campaign:
- Operational scale and persistence: Sustained activity since April 2025 reflects mature operations, repeatable delivery mechanisms, and highly effective victim acquisition.
- Blended execution flows: Leveraging a legitimate Ren’Py launcher enables malicious processes to masquerade as normal application behavior, increasing execution success rates and hindering early detection.
- Multi-stage, modular architecture: RenEngine Loader decrypts, stages, and transfers execution to HijackLoader, enabling rapid tooling evolution and flexible capability deployment.
- Defense evasion by design: RenEngine Loader employs extensive sandbox and environment checks, layered encoding/decoding (Base64 + XOR), and execution of packaged scripts from Ren’Py archives— techniques that reduce static visibility and disrupt automated analysis.
- Enhanced HijackLoader stealth: HijackLoader uses multiple evasion techniques—including Heaven’s Gate, process hollowing, process doppelgänging, and call‑stack spoofing. In this campaign, it is stealthily deployed through DLL side‑loading and module stomping, with process doppelgänging used in the final phase.
High-Level Attack Chain Overview
- Initial Access: Victims are enticed into executing cracked or modded game installers distributed via piracy platforms.
- Stage 1 – RenEngine Loader: Embedded within a legitimate Ren’Py launcher, it executes a malicious Python script packaged as a Ren’Py archive. It then performs environment validation (including sandbox checks), decodes configuration data, decrypts staged content, and launches the next phase.
- Stage 2 – HijackLoader: A newly observed variant with expanded capabilities. It employs DLL side‑loading and module stomping to load malicious modules while blending into trusted process flows.
- Final Payload – ACR Stealer: The ultimate payload exfiltrates sensitive data—including browser credentials, cookies, cryptocurrency wallets, and system information—to attacker‑controlled infrastructure.
Bottom Line
This campaign is far from a commodity “grab‑and‑go” infection chain. It is a high‑volume, long‑running, and technically mature operation that combines trusted application execution paths, staged decryption, modular payload delivery, and extensive evasion techniques. The result is an intrusion chain that is difficult to triage, resistant to automated sandboxing, and capable of sustaining large‑scale victimization over extended periods.
Victim Analytics
The Howler Cell Threat Research Team traced the origin of the RenEngine Loader campaign to early April 2025, and it remains active to date. Variants observed since early October include an additional function that retrieves the value of the pub field from the configuration and appends it to a GET request sent to analytics tracking.
Our OSINT hunt and analysis of victim analytics dumps and logs confirm that telemetry tracking was added to the loader on October 14, 2025. The campaign is still active. The analytics data indicates approximately 400k global distributions reaching the telemetry server (embedded in the malware), as shown in Figure 1. Exact victim counts cannot be confirmed due to limited visibility in the available telemetry data.
Figure 1: Distribution of users reached C2 across the globe
The data covers daily telemetry from October 2025 through early January 2026 and shows a clear, steady growth pattern over time.
- Gradual increase starting mid-October.
- Strong and sustained growth from mid-November onward.
- December shows peak and stable volume across all metrics.
On average, approximately 5,000 new visitors to the telemetry tracker (Figure 2) occur globally each day. The highest concentration of victims has been observed in India, the United States, and Brazil (Table 1).
Figure 2: Daily user traffic from Oct. 14, 2025 to Jan. 5, 2026 by telemetry
Note: The telemetry URL is embedded in the malware and can be reached whenever the malicious RenEngine loader executes.
Table 1: RenEngine Loader top 10 countries of users reached
|
Country |
Users |
|
India |
38,016 |
|
The United States |
31,317 |
|
Brazil |
25,220 |
|
Russian Federation |
22,366 |
|
Egypt |
19,500 |
|
Turkey |
18,835 |
|
Spain |
18,109 |
|
Indonesia |
15,790 |
|
Pakistan |
15,426 |
|
France |
14,100 |
Attack Overview
Figure 3: Attack overview
Technical Analysis
Initial access occurs when users download pirated game installers from platforms that distribute cracks and game modifications, as shown in Figure 4. These installers are advertised as preactivated or cracked versions of commercial games. Users often trust these files to bypass licensing controls or avoid paying for legitimate software.
In addition to full installers, users frequently download game mods to customize or enhance gameplay. These mods are treated as low risk by users and are often executed without verification.
The Howler Cell Threat Research Team identified a popular game mod and crack distribution site delivering information stealer malware through both installers and mod packages.
The AAA game titles observed so far include:
-
- Far Cry
- Need for Speed
- FIFA
- Assassin’s Creed
This delivery method relies on social trust within piracy communities rather than technical exploitation. That makes it effective against users with limited security awareness and minimal endpoint protections.
Figure 4: Pirated game page displayed on the website
Clicking on the download link of the game we landed on a page go[.]zovo[.]ink as shown in Figure 5.
Figure 5: Zovo webpage showing button as "Download Setup"
Further clicking on Download Setup button of this page, it redirects us to the MediaFire download page containing the zip of pirated setup (which contains RenEngine Loader),) , the complete initial payload drop chain is shown in Figure 6.
Figure 6: Initial payload drop chain
RenEngine Loader
Once we download the zip & extract it with WinRAR or 7zip tool. The structure of files and directories will look as shown in Figure 7. Instaler.exe is a legitimate game launcher based on Ren'py visual novel engine and is abused here to execute a malicious python script.
Figure 7: Files and directories dropped by zip
The threat actors behind this campaign abused Ren’Py’s archive build feature to package the final payloads within an RPA file. Since common extractors like 7-Zip typically fail to unpack these archives by default, the compiled scripts remain embedded, likely as a tactic to evade static detection by security solutions and ensure the script is present only in memory.
Figure 8: Build options specified in options.rpy
As illustrated in Figure 8, the threat actors leveraged Ren’Py’s built-in archive functionality to consolidate all files into archive.rpa. Notably, they also deliberately removed all plain text script files (rpy) from the final build package leaving only the compiled scripts (rpyc).
On execution, Instaler.exe (Ren'py Launcher) by default decompresses archive.rpa present within game, launcher, or data directory and executes a compiled python script named script.rpyc. As visualized in Figure 9, We decompressed the RPA archive and decompiled the malicious python script for detailed analysis. This script has been designated by Howler Cell as RenEngine Loader.
Figure 9: RenEngine Loader: Decompiled Script.rpyc
RenEngine Loader reads a .key file from disk, decodes its contents using Base64 to retrieve JSON configuration details (see Figure 10). Based on this configuration, it locates an XOR-encoded archive, decrypts it using the specified key, and executes the process defined in the configuration from within the extracted archive. In addition to this staged delivery mechanism, the loader also implements extensive sandbox checks (detailed later in this blog) to evade analysis and ensure execution only on real user environments.
Figure 10: RenEngine Loader configuration
The configuration is structured as JSON and supports up to six identifiers, each serving a specific role during different phases of RenEngine Loader’s execution. The details of these fields and their respective functions are outlined in Table 2.
Table 2: RenEngine Loader’s configuration detail
|
Field Name |
Value in Current Campaign |
Description |
|
filename |
Zt5qwYUCFL.txt |
Name of the XOR-encoded archive file. |
|
password |
eAX7G6bTT |
XOR key used to decode the file specified in filename. |
|
exec_file |
W8CPbGQI.exe |
Executable within the decoded archive that is launched during execution. |
|
sandbox |
false |
Determines sandbox behavior: • False – Perform sandbox checks• True – Skip checks |
|
pub |
t11_asm |
Identifier appended to analytic events sent to Clicky for victim tracking. |
|
final_zip_name |
Instsatp_* |
Currently unused in this campaign; observed in other samples. It currently holds no value in the code and lacks implementation, suggesting it may signify functionality under development or reserved for future use. |
Sandbox Check
Based on the decoded configuration, if the sandbox field is set to False, the RenEngine Loader initiates a sandbox check. The loader calculates a scoring sum based on different information it collects from the system, and the sum is compared at the end to identify if the current execution is within a sandbox machine.
Figure 11: Sandbox check simulated in a VMware guest
After completing all discovery actions (Figure 11), the calculated sum is converted into percentage. If this percentage is below 50, the loader proceeds with execution; otherwise, it terminates silently. Table 3 details the artifacts and comparisons used to determine whether the host is a virtual machine.
Table 3: List of sandbox checks performed to determine VM
|
Sandbox Check |
Details & Score |
System Command executed & List compared |
|
RAM |
|
powershell -Command 'Get-CimInstance Win32_ComputerSystem | Select-Object TotalPhysicalMemory' |
|
Hard Disk Storage (only C: drive) |
|
powershell -Command 'Get-PSDrive C | Select-Object Used,Free' |
|
CPU Cores |
|
powershell -Command 'Get-CimInstance Win32_Processor | Select-Object NumberOfLogicalProcessors' |
|
Device Serial |
|
powershell -Command 'Get-CimInstance Win32_BIOS | Select-Object SerialNumber' |
|
Device Model |
|
powershell -Command ‘Get-CimInstance Win32_ComputerSystem | Select-Object Model’ virtualbox, vmware, kvm, virtual machine, qemu, xen, hyperv, hyper-v, parallels, virtual platform, vm platform, vsphere, proxmox, citrix, oracle vm, bochs, virtual pc, cloud pc, shadow pc, amazon ec2, google compute engine, azure virtual machine, bhyve, virtual desktop, sandbox |
|
Device Manufacturer |
|
powershell -Command 'Get-CimInstance Win32_ComputerSystem | Select-Object Manufacturer' |
|
Registry Keys |
|
Hardcoded list of Registry keys
"SOFTWARE\Oracle\VirtualBox Guest Additions", "HARDWARE\ACPI\DSDT\VBOX__", "HARDWARE\ACPI\FADT\VBOX__", "HARDWARE\ACPI\RSDT\VBOX__", "SYSTEM\ControlSet001\Services\VBoxGuest", "SYSTEM\ControlSet001\Services\VBoxMouse", "SYSTEM\ControlSet001\Services\VBoxService", "SYSTEM\ControlSet001\Services\VBoxSF", "SYSTEM\ControlSet001\Services\VBoxVideo" |
|
Module and Driver Files |
|
Hardcoded list of Files VBoxMouse.sys, VBoxGuest.sys, VBoxSF.sys, VBoxVideo.sys, vboxdisp.dll, vboxhook.dll, vboxmrxnp.dll, vboxogl.dll, vboxoglarrayspu.dll, vboxoglcrutil.dll, vboxoglerrorspu.dll, vboxoglfeedbackspu.dll, vboxoglpackspu.dll, vboxoglpassthroughspu.dll, vboxservice.exe, vboxtray.exe, VBoxControl.exe, vmmouse.sys, vmhgfs.sys, vmusbmouse.sys, vmkdb.sys, vmrawdsk.sys, vmmemctl.sys, vm3dmp.sys, vmci.sys, vmsci.sys |
|
Active Process |
|
Hardcoded list of processes vboxservices.exe, vboxservice.exe, vboxtray.exe, xenservice.exe, VMSrvc.exe, vemusrvc.exe, VMUSrvc.exe, qemu-ga.exe, prl_cc.exe, prl_tools.exe, vmtoolsd.exe |
|
Username |
|
Hardcoded list of sandbox usernames |
Hijack Loader
Following the sandbox check, the RenEngine Loader retrieves a file named Zt5qwYUCFL.txt from disk and applies XOR decoding with the key eAX7G6bTT to obtain a ZIP archive. It then extracts the archive’s contents and executes a binary called W8CPbGQI.exe, continuing the malicious attack chain. The structure is shown in Figure 12.
Figure 12: Files present within the extracted archive
W8CPbGQI.exe is a legitimate signed executable which is abused to sideload and execute the malicious module d3dx9_43.dll. On Load, this module is responsible for dynamically loading another DLL from current directory named VSDebugScriptAgent170.dll using LoadLibraryA API (see Figure 13 for Snippet) and transfers execution to this DLL via indirect jmp instruction.
Figure 13: Module load using LoadLibraryA
VSDebugScriptAgent170.dll leverages the modified DllGetClassObject export function to perform dynamic API resolution, as illustrated in Figure 14.
Figure 14: Dynamic API resolution using modified DllGetClassObject.
Following dynamic API resolving, it performs module stomping on evr.dll; It is loaded via LoadLibraryA API and then execution is transferred using call EDX instruction, as shown in Figure 15.
Figure 15: Transfer execution to stomped EVR.DLL
Stomped Evr.dll reads an encrypted file named Froodjurain.wkk from disk, which serves as the configuration container for HijackLoader. This file holds compressed module data that is later unpacked by the malware using the RtlDecompressBuffer API with the LZNT1 compression format.
As shown in Figure 16, the malware looks for the magic value C6 A5 79 EA, followed by a 4-byte XOR key (DB CD 7B C6). This XOR key differs across samples. The configuration structure is outlined below:
IDAT: 49 44 41 54
Magic Number: C6 A5 79 EA
XOR Key: DB CD 7B C6
Figure 16: Encrypted IDAT Config
Figure 17: Illustrates how HijackLoader decompresses the data using the RtlDecompressBuffer API.
After decompression, the second-stage loader data appear as shown in Figure 18.
Figure 18: Decompressed data of second stage loader.
The decompressed data contains a list of 38 modules. Early HijackLoader samples included only a small number of modules, mainly responsible for reading the configuration file, decrypting data, and loading the next stage.
Over time, the malware authors have expanded this set by adding many more modules to the existing framework. In the sample analyzed during this research, HijackLoader loads 38 separate modules (listed under Table 4), indicating its evolution from a simple loader into a highly modular framework.
Table 4: Modules Loaded by HijackLoader
|
Module name |
Purpose Of the Module |
CRC Hash |
|
ANTIVM |
General virtual machine detection |
0x4DAD7707 |
|
ANTIVMGPU |
GPU checks to detect virtual machines |
0xE6789CD4 |
|
ANTIVMHYPERVISORNAMES |
Looks for known hypervisor names |
0x19E1DA5E |
|
ANTIVMMACS |
Checks MAC addresses linked to VMs |
0xCFF91D66 |
|
AVDATA |
Collects antivirus and security product info |
0x78B783CA |
|
COPYLIST |
Prepares file lists for later actions |
0x1AE7700A |
|
CUSTOMINJECT |
Custom process injection (32-bit) |
0x6703F815 |
|
CUSTOMINJECTPATH |
Injection using a specific process path |
0x192A4446 |
|
ESAL |
Core execution support layer (32-bit) |
0x757C9405 |
|
ESAL64 |
Core execution support layer (64-bit) |
0x6364A15B |
|
ESLDR |
Module loader (32-bit) |
0xE7794E15 |
|
ESLDR64 |
Module loader (64-bit) |
0x4FA01AC5 |
|
ESWR |
Writes payload data (32-bit) |
0x93EB1CB1 |
|
ESWR64 |
Writes payload data (64-bit) |
0x00AE2762 |
|
FIXED |
Static or fixed configuration data |
0x699D0C82 |
|
LauncherLdr64 |
Launches main loader in 64-bit mode |
0xF4F141C2 |
|
modCreateProcess |
Process creation logic (32-bit) |
0x696F778F |
|
modCreateProcess64 |
Process creation logic (64-bit) |
0x9B0B7E4B |
|
modTask |
Scheduled task persistence (32-bit) |
0x3115355E |
|
modTask64 |
Scheduled task persistence (64-bit) |
0x9BFAF2D3 |
|
modUAC |
UAC bypass or elevation attempts (32-bit) |
0xC64EBFDA |
|
modUAC64 |
UAC bypass or elevation attempts (64-bit) |
0xC97832F9 |
|
modWD |
Windows Defender interference (32-bit) |
0x0F508E52 |
|
modWD64 |
Windows Defender interference (64-bit) |
0x6BFCE99E |
|
modWriteFile |
File write operations (32-bit) |
0xFCE82FC1 |
|
modWriteFile64 |
File write operations (64-bit) |
0x90415081 |
|
rshell |
Reverse shell capability (32-bit) |
0x74984889 |
|
rshell64 |
Reverse shell capability (64-bit) |
0x7B37E907 |
|
SM |
Session or state management |
0xD8222145 |
|
ti |
System and environment profiling (32-bit) |
0x3EE477F1 |
|
ti64 |
System and environment profiling (64-bit) |
0x2AB77DB8 |
|
TinycallProxy |
API call proxy and obfuscation (32-bit) |
0x455CBBC3 |
|
TinycallProxy64 |
API call proxy and obfuscation (64-bit) |
0x5515DCEA |
|
tinystub |
Initial bootstrap loader (32-bit) |
0x4EACE798 |
|
tinystub64 |
Initial bootstrap loader (64-bit) |
0x6E874E5A |
|
tinyutilitymodule.dll |
Shared utility functions (32-bit) |
0xA1D724FC |
|
tinyutilitymodule64.dll |
Shared utility functions (64-bit) |
0xA0077EA3 |
|
X64L |
64-bit execution switch helper |
0xCB5B9F3F |
In the next stage, the malware searches for the ti module (CRC = 0x3EE477F1) by comparing hardcoded CRC values against each available module. Once the matching module is identified, it loads a system DLL to inject the shellcode.
In our case, the target system DLL is predefined in the configuration (as shown in Figure 19) and is rasapi32.dll, which is loaded dynamically at runtime using the LoadLibraryW API.
Figure 19: Dynamically Loading rsaapi32.dll.
The malware creates a directory named broker_crypt_v4_i386 under %ProgramData%, which is also defined in the configuration. After creating this directory, it loads the COPYLIST (CRC= 0x1AE7700A) module and copies d3dx9_43.dll, Froodjurain.wkk, Taig.gr, and VSDebugScriptAgent170.dll as shown in Figure 20 to later establish persistence on the system dropping LNK on Desktop.
Figure 20: Dependent files in %ProgramData%\broker_crypt_v4_i386
The malware also creates a directory named %AppData%\Roaming\broker_crypt_v4_i386 using the CreateDirectoryW API and drops chime.exe into this location, as shown in Figure 21. It then sets the current working directory to %AppData%\Roaming\broker_crypt_v4_i386 and spawns a new process. During this process execution, two .tmp files are created in the %Temp% directory, which contain the configuration data and the shellcode for the final payload.
Figure 21: Dropped chime.exe in %AppData%\roaming\broker_crypt_v4_i386.
In the final phase, the malware creates an executable named ZoneInd.exe under %AppData%\Local. The loader then implements process doppelgänging, writing the shellcode extracted from the .tmp files into both ZoneInd.exe and chime.exe.
Final payload - ACR stealer
Analysis of the final payload confirms it to be an ACR stealer, and its configuration is provided in Table 5, It is designed to harvest sensitive user data such as saved browser passwords, cookies, cryptocurrency wallets, and autofill information, along with system details and clipboard contents. This capability enables account takeover, session hijacking, and financial theft by quietly exfiltrating the collected data to its command-and-control (C2) server.
Table 5: Final ACR Stealer Configuration
|
C2: 78[.]40[.]193[.]126 |
In this campaign, only ACR stealer was delivered as final payload; however, in other similar scenarios, we observed different payloads such as Rhadamanthys stealer, Async RAT, and XWorm delivered via RenEngine Loader. The complete network infrastructure is shown in Figure 22.
Figure 22: Complete network infrastructure
Conclusion
RenEngine Loader marks a significant evolution in loader-based attack chains. Unlike traditional loaders, RenEngine leverages the legitimate Ren’Py visual novel engine to embed malicious scripts within legitimate game launchers, exploiting the engine’s archive packaging feature to evade static detection. This approach demonstrates a creative abuse of gaming frameworks for malware delivery, making RenEngine a novel and stealthy initial-stage loader.
RenEngine’s capabilities extend beyond simple payload delivery. It incorporates:
- Dynamic configuration decoding via Base64 and XOR encryption.
- Advanced sandbox scoring mechanisms to ensure execution only on real user environments.
- Telemetry integration for infection tracking, enabling campaign operators to monitor victim distribution globally.
Its role as the first stage in a dual-loader chain (preceding HijackLoader) highlights a growing trend toward modular, multi-layered attack architectures. By combining RenEngine’s stealth and HijackLoader’s extensive module set, threat actors achieve persistence, privilege escalation, and flexible payload deployment.
This discovery underscores the need for behavioural detection strategies focused on:
- Abuse of legitimate frameworks (e.g., Ren’Py).
- Unusual archive formats and embedded Python scripts.
- Sandbox evasion logic and staged decryption routines.
Appendix
IOC’s
- SHA256: 9e3b296339e25b1bae1f9d028a17f030dcf2ab25ad46221b37731ea4fdfde057
- Zip Package: 9e3b296339e25b1bae1f9d028a17f030dcf2ab25ad46221b37731ea4fdfde057
- RenPy Installer (legitimate but exploited):
- Instaler.exe: 7123e1514b939b165985560057fe3c761440a9fff9783a3b84e861fd2888d4ab
- HijackLoader:
- d3dx9_43.dll: 326ec5aeeafc4c31c234146dc604a849f20f1445e2f973466682cb33889b4e4c
- VSDebugScriptAgent170.dll: db4ccd0e8f03c6d282726bfb4ee9aa15aa41e7a5edcb49e13fbd0001452cdfa2
- hxxps[://]dodi-repacks[.]site (Piracy game download website)
C2’s
- 78[.]40[.]193[.]126
MITRE
Initial Access:
• T1204.002 – User Execution: Malicious File
Execution:
• T1059.006 – Command and Scripting Interpreter: Python
Defense Evasion:
• T1027 – Obfuscated/Compressed Files & Information
• T1497.001 – Virtualization/Sandbox Evasion
• T1140 – Deobfuscate/Decode Files or Information
• T1055 – Process Injection
• T1055.013 – Process Doppelgänging
Persistence:
• T1053.005 – Scheduled Task/Job: Scheduled Task
• T1574.002 – Hijack Execution Flow: DLL Side-Loading
Privilege Escalation / Defense Evasion:
• T1548.002 – Bypass User Account Control
Discovery:
• T1082 – System Information Discovery
• T1012 – Query Registry
• T1057 – Process Discovery
Credential Access:
• T1555.003 – Credentials from Web Browsers
Collection:
• T1115 – Clipboard Data
• T1539 – Exfiltrate Web Session Cookies
Command and Control:
• T1071.001 – Application Layer Protocol: Web Protocols
Exfiltration:
• T1041 – Exfiltration Over C2 Channel
Stay informed with Howler Cell
Receive the latest Howler Cell news and research directly to your inbox.
