The game is over: when “free” comes at too high a price. What we know about RenEngine

This Kaspersky analysis details a widespread campaign (since March 2025) that distributes a RenEngine loader packaged as pirated games and cracked software; the loader uses a modular HijackLoader deployment that performs in-memory DLL overwrites, transaction-based temporary file staging, and process injection to deliver infostealers (Lumma, ACR, with instances of Vidar), provides IOCs (file hashes and malicious domains), and offers mitigation advice such as installing software from trusted sources and using behavior-based security solutions.