Malware in Pirated PC Games Steals Passwords and Crypto

Security researchers report a Windows malware campaign that hides a loader inside cracked and repacked installers for PC games such as Far Cry, Need for Speed, FIFA and Assassin’s Creed. The loader, tracked as RenEngine, has infected more than 400,000 devices globally, including roughly 30,000 in the United States, by installing information-stealing software while the games appear to run normally.

Attackers embed malicious code in a Ren’Py launcher, a legitimate open-source engine used for visual novel games. When the launcher runs to decompress and start the game, it also executes the infection chain. The attackers are not exploiting a vulnerability in Ren’Py itself but are using the launcher as a wrapper to conceal the loader inside pirated game packages.

The loader most commonly deploys an information stealer called ARC. ARC can extract saved browser passwords, cookies, autofill data, system details, clipboard contents and cryptocurrency wallet data. Analysts have also observed RenEngine dropping other payloads from the same installer, including Rhadamanthys stealer, an asynchronous remote access trojan and Backdoor.XWorm, which can provide persistent remote control of an infected machine.

Researchers say the primary infection vector is software piracy: users download cracked games or repacked installers from unofficial sites and run what appears to be a normal launcher or setup file. Because the cracked game often functions as expected, victims may not notice the compromise until credentials are used, funds are moved or the system shows unusual behavior.

The operational impact includes account takeover, financial fraud, theft of cryptocurrency and exposure of personal or work data. Remote access tools deployed by the loader can allow attackers to expand access, move laterally within a network or maintain persistence on machines used for sensitive tasks.

Security guidance from researchers and industry professionals recommends avoiding pirated software and unofficial installers, running up-to-date real-time anti-malware protection, and keeping operating systems and security patches current. If an infection is suspected, users should disconnect the device from networks, run a full scan with reputable antivirus tools and follow a thorough malware-removal process; in severe cases a complete system reinstall may be necessary.

Researchers continue to monitor the campaign and advise obtaining games and software only from official stores and publishers to reduce the risk of similar infections.