Full Report
We disclose new details about campaigns involving RenEngine and HijackLoader malware. Since March 2025, attackers have been distributing the Lumma stealer in a complex chain of infections, and in February 2026, ongoing attacks using ACR Stealer became known.
Analysis Summary
Based on the contextual information provided, which details a complex infection chain involving several malware families, the following analysis is generated. Please note that specific technical details (Hashes, IPs, detailed TTPs) for the *entire* chain are limited by the summary context, but the known actors and malware are highlighted.
# Tool/Technique: RenEngine (Loader)
## Overview
RenEngine is identified as a loader utilized in multi-stage infection campaigns. It acts as the initial delivery mechanism, likely responsible for fetching and executing subsequent malicious payloads, such as HijackLoader, Lumma Stealer, and ACR Stealer.
## Technical Details
- Type: Malware Loader/Dropper
- Platform: Likely Windows (standard for these types of threats)
- Capabilities: Initial access, execution of secondary payloads, part of a multi-stage infection chain.
- First Seen: The context suggests its involvement in campaigns active since at least March 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the role of a loader.*
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter (Likely used to run post-infection components)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (Common technique for sophisticated loaders)
## Functionality
### Core Capabilities
- Initial infection vector establishment.
- Dropping or downloading subsequent malware stages.
### Advanced Features
- Functionality is heavily dependent on the chain's progression, suggesting modularity to deploy different stealer and loader components.
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: [Inferred: Execution of subsequent, known malicious files]
## Associated Threat Actors
- Threat actors employing this loader in conjunction with HijackLoader, Lumma, and ACR Stealer. (Specific APT group not named in context)
## Detection Methods
- [Not specified in context, but signature detection targeting known RenEngine binaries would apply.]
## Mitigation Strategies
- [Inferred: Proactive blocking of initial access vectors used to deliver RenEngine.]
## Related Tools/Techniques
- HijackLoader
- Lumma Stealer
- ACR Stealer
***
# Tool/Technique: HijackLoader (Loader/Downloader)
## Overview
HijackLoader is another component mentioned in the broader campaign infrastructure, likely serving as a secondary loader or payload delivery mechanism executed after RenEngine gains initial access.
## Technical Details
- Type: Malware Loader/Downloader
- Platform: [Inferred: Windows]
- Capabilities: Used in the complex chain to facilitate the deployment of the final malicious payloads.
- First Seen: Associated with active campaigns since March 2025.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
## Functionality
### Core Capabilities
- Payload delivery and staging.
### Advanced Features
- [No specific advanced features detailed in the context, inferred to work synergistically with RenEngine.]
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: [Inferred: In-memory execution or file dropping following initial loading.]
## Associated Threat Actors
- Actors utilizing the RenEngine/HijackLoader chain.
## Detection Methods
- [General detection strategies for known loaders.]
## Mitigation Strategies
- [Focus on endpoint protection capable of detecting multi-stage execution.]
## Related Tools/Techniques
- RenEngine
- Lumma Stealer
- ACR Stealer
***
# Tool/Technique: Lumma Stealer
## Overview
Lumma Stealer is an information-stealing malware deployed as part of the infection chain starting in March 2025. Its primary function is the exfiltration of sensitive data from infected systems.
## Technical Details
- Type: Information Stealer
- Platform: [Inferred: Windows]
- Capabilities: Stealing credentials, cryptocurrency wallets, browsing data, and potentially other sensitive files.
- First Seen: March 2025 (Active sightings reported).
## MITRE ATT&CK Mapping
- **TA0009 - Collection**
- T1005 - Data from Local System
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Theft of stored credentials (browsers, email clients, etc.).
- Theft of cryptocurrency wallet files/information.
### Advanced Features
- [Specific advanced features of Lumma not detailed, but typical for stealers include anti-analysis checks or specific target file searches.]
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: [Inferred: Attempts to locate specific browser profile folders or wallet databases.]
## Associated Threat Actors
- Threat actors active since at least March 2025 using this specific distribution pipeline.
## Detection Methods
- [Detection based on strings or file patterns related to Lumma.]
## Mitigation Strategies
- Strong endpoint security prioritizing credential and data protection monitoring.
## Related Tools/Techniques
- ACR Stealer (Used concurrently or sequentially)
***
# Tool/Technique: ACR Stealer
## Overview
ACR Stealer is another information-stealing malware observed concurrently with the Lumma infections, becoming known in February 2026 campaigns.
## Technical Details
- Type: Information Stealer
- Platform: [Inferred: Windows]
- Capabilities: Data theft and exfiltration.
- First Seen: February 2026 (Active sightings reported).
## MITRE ATT&CK Mapping
- **TA0009 - Collection**
- T1555 - Credentials from Password Stores
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol (If custom protocols are used)
## Functionality
### Core Capabilities
- Data collection focusing on credentials and sensitive information.
### Advanced Features
- [No specific advanced features detailed, but implies overlap with other commodity stealers.]
## Indicators of Compromise
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators: [Not specified in context]
- Behavioral Indicators: [Inferred: Activity mirroring credential harvesting routines.]
## Associated Threat Actors
- Threat actors employing complex chains involving RenEngine/HijackLoader for deployment.
## Detection Methods
- Behavioral detection targeting file modifications related to credential harvesting.
## Mitigation Strategies
- Multi-factor authentication (MFA) to mitigate credential theft impact.
## Related Tools/Techniques
- Lumma Stealer