Hackers are using popular Ubisoft franchises to distribute password stealers via torrents.
A free game can turn out to be the most expensive purchase if you have to pay not with money but with access to your computer. Cybersecurity researchers are warning about a campaign that hides within pirated game installers and quietly drops a malware called RenEngine Loader onto your PC. It doesn't interfere with the game's launch and therefore easily remains undetected.
According to the Howler Cell team at Cyderes, the campaign has been active since at least April 2025 and is still ongoing. The malicious logic was discovered in what appeared to be a regular Ren'Py game launcher, making the infection appear "a normal part of the installation" and undetectable.
The scenario is simple and unpleasant: a person downloads a cracked build, installs it, everything works, and a loader runs in the background. Its purpose isn't necessarily to steal anything immediately; rather, it opens the door and downloads the next payload onto the computer. In their report, the researchers describe a connection with HijackLoader and the subsequent delivery of data stealers that are already capable of extracting passwords and other sensitive information.
Popular games and series frequently sought after in pirated repacks are cited as examples of bait, including titles from Electronic Arts and Ubisoft, as well as Far Cry, FIFA, Need for Speed, and Assassin's Creed. Since the game usually launches, the user may not realize for weeks that along with the "savings," they have received foreign code in the system.
Numbers in such stories should always be read with caution. The report states that telemetry has recorded over 400,000 hits related to this chain, but the researchers specifically state that this doesn't equate to "exactly 400,000 unique infected PCs." Nevertheless, the scale is significant: the average number of new detections is estimated at approximately 5,000 per day, and Russia ranks fourth among countries by number of observations (after India, the United States, and Brazil).
The practical conclusion is boring but useful: pirated installers and "cracks" have long been one of the most convenient channels for malware delivery, and this story only confirms the rule. If you've already installed such builds, it makes sense to run a full antivirus scan, update the system, change passwords at least for email and key services, and enable two-factor authentication where available.
A free game can turn out to be the most expensive purchase if you have to pay not with money but with access to your computer. Cybersecurity researchers are warning about a campaign that hides within pirated game installers and quietly drops a malware called RenEngine Loader onto your PC. It doesn't interfere with the game's launch and therefore easily remains undetected.
According to the Howler Cell team at Cyderes, the campaign has been active since at least April 2025 and is still ongoing. The malicious logic was discovered in what appeared to be a regular Ren'Py game launcher, making the infection appear "a normal part of the installation" and undetectable.
The scenario is simple and unpleasant: a person downloads a cracked build, installs it, everything works, and a loader runs in the background. Its purpose isn't necessarily to steal anything immediately; rather, it opens the door and downloads the next payload onto the computer. In their report, the researchers describe a connection with HijackLoader and the subsequent delivery of data stealers that are already capable of extracting passwords and other sensitive information.
Popular games and series frequently sought after in pirated repacks are cited as examples of bait, including titles from Electronic Arts and Ubisoft, as well as Far Cry, FIFA, Need for Speed, and Assassin's Creed. Since the game usually launches, the user may not realize for weeks that along with the "savings," they have received foreign code in the system.
Numbers in such stories should always be read with caution. The report states that telemetry has recorded over 400,000 hits related to this chain, but the researchers specifically state that this doesn't equate to "exactly 400,000 unique infected PCs." Nevertheless, the scale is significant: the average number of new detections is estimated at approximately 5,000 per day, and Russia ranks fourth among countries by number of observations (after India, the United States, and Brazil).
The practical conclusion is boring but useful: pirated installers and "cracks" have long been one of the most convenient channels for malware delivery, and this story only confirms the rule. If you've already installed such builds, it makes sense to run a full antivirus scan, update the system, change passwords at least for email and key services, and enable two-factor authentication where available.
