A new Windows malware campaign hides inside pirated PC games and modified installers for franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed.
Researchers estimate that more than 400,000 devices worldwide have been infected, with around 30,000 users in the US.
The infection method is simple and effective. Users are lured into installing a fully functional free game. While the cracked and repacked game appears to work, the malware installs silently in the background.
The strain is being called “RenEngine loader” and sometimes referred to as Ren’Py because parts of the malicious code are embedded in a legitimate Ren’Py launcher used to run some visual novel games. When the launcher runs, it decompresses the game files and secretly starts the infection chain.
Ren’Py is a legitimate, open-source visual novel engine used by developers to make story-driven games with text, images, sound, and interactive choices. The malware in this case is not Ren’Py itself. Attackers are abusing the engine or its launcher as a delivery method to hide malicious code inside pirated game installs.
