Distribution of Rhadamanthys Malware Disguised as a Game Developed with Ren’Py
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Infostealer malware Rhadamanthys is being distributed disguised as a game created with RenPy. RenPy is a game development tool based on Python that allows users to easily create stories, dialogues, images, and sounds with simple scripts. It is open-source and can be run on various operating systems, so it is widely used among indie developers. It is also popular enough to be used on major game platforms such as Steam.
This attack disguises itself as a normal game file, but when executed, a malicious loader is activated which ultimately runs the Rhadamanthys Infostealer. This report provides a detailed description of the malware’s distribution methods, internal operations, and detection evasion techniques.
Figure 1. RenPy official website
When developing a game using Ren’Py, the following four script files are essential: “script.rpy”, “options.rpy”, “gui.rpy”, and “screens.rpy”. All of these files are Python-based script files with the Ren’Py-specific extension “.rpy”.
Figure 2. Normal “script.rpy” template code
After the game is built, the above four files are usually created in the game path. These files can be compressed and compiled into a single file, and the file created in this process is named “archive.rpa”. Because the four files are compressed and compiled into one, this can reduce the file size. Also, by doing this, the game source code can be protected, so most developers compile the files before distributing them. After the game is built, when the game launcher program is executed, the “archive.rpa” file is compressed and decompiled to extract the script files, which are then read and executed.
Among them, the key is the “script.rpy” file, which serves as the entry point of the game’s execution flow and defines the main logic, including the scenarios and labels. Threat actors can insert a malicious script into this file to manipulate the execution of the malicious code. In the case discussed in this article, the threat actor used this execution mechanism to write a malicious script in the “script.rpy” file and used it to execute additional malware that exists in the same path.
Attack Flow
As mentioned above, the threat actor actually inserted a malicious script into the ‘script.rpy’ file, which is a script file required to run the game. When the launcher file ‘lnstaIer.exe’ is executed, the malware is also executed. The overall attack flow and the features of each file are shown in Figure 3 and Table 1 below.
Figure 3. Attack flow
| No. | File Name | Function |
|---|---|---|
| 1 | lnstaIer.exe | Run Launcher |
| 2 | lnstaIer.py | File referenced by lnstaIer.exe to find the game folder |
| 3 | .key | Configuration file in JSON format encoded with BASE64 |
| 4 | archive.rpa | Scripts needed to compile and run the compressed game |
| 5 | __init__.py | Script that imports file_system.py, internet_access.py, sandbox.py, and specs.py |
| 6 | file_system.py | Script to check VM-related process and registry information (Linked to sandbox.py) |
| 7 | internet_access.py | Script for checking external internet connection |
| 8 | sandbox.py | Script to determine virtual environment status |
| 9 | specs.py | Script to check system information (CPU information, drive capacity, RAM capacity, etc.) |
Table 1. Key file information
Analysis
The attack was found to have started with the distribution of a ZIP file through MediaFire. All ZIP files collected so far have used the same name, “Free Download Files.zip”. Considering this, it is likely that the threat actor is posting disguised links that allow users to download paid games for free, distributing malicious files.
Figure 4. Malicious ZIP file being distributed via MediaFire
The structure of the ZIP file is shown in Figure 5, and the main files and their functions are summarized in Table 1 above. When a user executes the legitimate executable file “lnstaIer.exe”, this file internally loads the legitimate script “lnstaIer.py” to explore the game folder (data) and configure the path. Afterward, the threat actor decompiles the “archive.rpa” file, which contains the compiled malicious script (script.rpy), to extract and execute “script.rpy”. During this process, the malicious “__init.py__” file located in the “\data\python-packages\planner” path is automatically imported.
Figure 5. Composition of the ZIP file
The reason why the “__init__.py” file is imported automatically is because Ren’Py supports users to create and use modules and packages created by users themselves by creating a “python-packages” folder. [1] Additionally, the “script.rpy” file is written to import modules in this folder, so the “__init__.py” file in the “\data\python-packages\planner” path is imported automatically, and the scripts in this folder can be used.
Figure 6. The “script.rpy” file in the planner folder being imported
The post then explains that when “script.rpy” is executed, the code in “__init__.py” is executed first. This code collects and sends various pieces of information to the external environment, such as the virtual environment status, external internet connection status, and system drive information. Afterward, the “.key” file is found and decoded in BASE64. The file is then decrypted to extract the file name, password, and file name to be executed, all of which are stored in JSON format. Next, a folder named “.tmp” is created, and the compressed file is decompressed. The “UIS4tq7P.exe” file, which is the OLEViewer program that has been decompressed and is safe to execute, is then run.
※ The file names are different for each sample, and this article uses “UIS4tq7P.exe” and “iviewers.dll” in the body.
Figure 7. The structure of the .key file and the decompressed files
When the “UIS4tq7P.exe” file is executed, it loads the “iviewers.dll” file located in the same path and then creates a .NET process as a child process. Afterward, the Rhadamanthys malware is injected into this process. At the same time, a game loading screen is displayed. This is a fake screen designed to deceive users, and it closes after waiting for 999,999 seconds.
Figure 8. Fake loading screen
The threat actor exploited RenPy’s execution mechanism by accurately understanding it, and distributed Rhadamanthys. Rhadamanthys is continuously being distributed in various ways, and in this case, the distribution of the Rhadamanthys malware was confirmed. Additionally, in forums that share both legal and illegal adult games, there have been cases where a game developer’s account was compromised and LummaC2 Infostealer was distributed instead of the legitimate game files. This means that there is a possibility that various other malware strains aside from Rhadamanthys may be distributed. Such cases demonstrate that the file-sharing environment in these forums can be exploited for malware distribution, and users must be extra cautious when downloading files from such sources.
File Detection
- Trojan/Win.Generic.R729425 (2025.10.08.01)
- Trojan/Win.Injector.R729869 (2025.10.13.01)
- Trojan/Win.Injector.R729189 (2025.10.05.00)
- Trojan/Win.Injector.R731064 (2025.10.19.01)
- Trojan/Win.Injector.R730188 (2025.10.14.00)
- Trojan/Win.Injector.R730185 (2025.10.13.03)
