Surge in AI-Driven Phishing Attacks and QR Code Quishing in 2025 Spam and Phishing Report - CyberSecurityNews

HomeCyber Security News Surge in AI-Driven Phishing Attacks and QR Code Quishing in 2025 Spam and Phishing Report By Tushar Subhra Dutta February 13, 2026 The distribution of malicious software through pirated games and cracked applications continues to be a highly effective strategy for cybercriminals. By exploiting the widespread desire for free access to premium content, attackers can easily bypass initial user suspicions and deliver complex threats directly to personal devices. A newly identified campaign exemplifies this persistent trend, utilizing a sophisticated loader that hides within modified game launchers to execute a multi-stage infection process without alerting the unsuspecting victim. This emerging threat leverages the structure of the Ren’Py visual novel engine, making the malicious files appear as legitimate components of the game. Victims who attempt to download these compromised packages are often redirected through multiple websites before finally reaching a file-hosting service. Once the user executes the downloaded file, the malware initiates its operation under the guise of a standard loading screen, effectively masking the background malicious activity that is taking place. Securelist analysts identified the malware as RenEngine, a distinct loader family that has been circulating since March 2025. Although earlier iterations were primarily used to distribute the Lumma stealer, recent incidents reveal that the attackers have updated their toolkit to deliver ACR Stealer. This evolution demonstrates the adaptability of the threat actors, who have also expanded their targets to include users searching for pirated graphics software and other productivity tools. These stealers are designed to extract passwords, cryptocurrency wallets, and session cookies from the victim’s machine. Game download page (Source – Securelist) The impact of this campaign is significant, with widespread active incidents recorded across multiple countries including Russia, Brazil, and Spain. The use of a modular loader allows the attackers to customize the infection chain, making it more difficult for standard security solutions to detect and block the initial compromise before damage occurs. This creates a major challenge for personal security. Infection Mechanism and Evasion Tactics The technical sophistication of RenEngine lies in its ability to avoid detection during the initial execution phase. The attack begins with Python scripts that simulate a game loading process while simultaneously performing critical environment checks. These scripts utilize a specific function called is_sandboxed to determine if the code is being analyzed by security researchers. If the system is deemed safe, the malware proceeds to use xor_decrypt_file to unpack the next stage of the payload from an encrypted archive. The complete execution flow of the RenEngine malware (Source – Securelist) Following the initial decryption, the malware employs a technique known as DLL hijacking to load the HijackLoader module. By overwriting the memory of a legitimate system library, specifically dbghelp.dll, the attackers can inject malicious code into a trusted process. This method allows the loader to decrypt and launch the final payload, such as Lumma or ACR Stealer, within the memory space of a system process like explorer.exe. This seamless injection ensures that the malware can operate persistently on the infected device, harvesting highly sensitive user data while remaining hidden from view. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News North Korean Hackers Abuse Mastra npm Supply Chain to Target Developers and CI/CD Pipelines Hackers Breached Klue Integration to Steal Salesforce CRM Data via OAuth Tokens Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection INC Ransomware Uses Rust-Based Windows and Linux/ESXi Encryptors in New Attacks PoC Exploit Released for HTTP/2 Bomb Remote DoS Vulnerability in Apache HTTP Server Latest News Cyber Security Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation Cyber Security News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Cyber Security News PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability Cyber Security News Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability Cyber Security News Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User