IN February 2026, researchers from Howler Cell announced a mass campaign distributing pirated games infected with a previously unknown malware family delivered via a loader called RenEngine, which is detected by Kaspersky solutions as Trojan.Python.Agent[.]nb and HEUR:Trojan.Python.Agent[.]gen.
The campaign is not new to Kaspersky; the loader first appeared in March 2025 when it was used to distribute the Lumma stealer (Trojan-PSW.Win32.Lumma[.]gen), and in the ongoing incidents the final payload being distributed is ACR Stealer (Trojan-PSW.Win32.ACRstealer[.]gen). The RenEngine loader uses HijackLoader to deploy its components, injecting the final payload into explorer[.]exe after a multi-stage process and payload decryption, with Lumma and ACR described as part of the current campaign.
Distribution has extended beyond gaming sites to dozens of pirate-software pages, including examples like a pirated CorelDRAW variant, with victims redirected through multiple sites before an infected archive is downloaded. At publication, the highest incident counts were recorded in Russia, Brazil, Turkey, Spain and Germany, indicating a broad, non-targeted spread.
Kaspersky urges caution and notes that modern antivirus solutions with behaviour-based protection can detect these processors and prevent further infection.