Trojanized Super Mario Installer Goes After Gamer Data

A legitimate installer for the popular Nintendo game infects Windows machines with various malware, including a cryptominer and an infostealer, again showcasing the importance of remote worker security hygiene.

Attackers have turned a legitimate installer for a popular
Super Mario Bros game
into a Trojan that spreads various malware infections — including a cryptocurrency miner and
info stealer
— across Windows machines.
A team from Cyble Research and Intelligence Labs (CRIL) have discovered an installer for Super Mario 3: Mario Forever — a perfectly legitimate, free Windows version of the enormously popular Nintendo game — that also includes an XMR miner, a SupremeBot mining client, and the open-source Umbral Stealer, they revealed in
a blog post
published June 23. The malware bomb could be an issue for the many businesses with remote or hybrid workers who use personal devices for work purposes and vice versa.
The installer file — an NSIS installer file dubbed Super-Mario-Bros.exe — actually contains three executables—super-mario-forever-v702e, which itself is a genuine and safe Super Mario game application, as well as two malicious executables — java.exe and atom.exe — that deliver the malware, they said.
Perhaps the most concerning for businesses is the Umbral Stealer — a lightweight stealer written in C# thats been available on GitHub since April — which it loads into the process memory, the researchers said. Umbral Stealer lifts credential and other data from various browsers — including Brave, Chrome, Opera, Edge, and Vivaldi — and also captures screenshots and webcam images; steals Telegram session files and Discord tokens; acquires Roblox cookies and Minecraft session files; and collects files associated with cryptocurrency wallets. The data that the stealer collects is saved to appropriate directories within the temporary folder and eventually is transmitted to the attacker using Discord webhooks, the researchers added.
Threat actors often tuck malware into game installers because of the substantial size of the online gaming community and the inherent trust gamers have that legitimate game installers are safe, the researchers said. Using Super Mario Bros. — a franchise thats been around since the 1980s and already has millions of followers — to deliver malware makes perfect sense then, especially as the franchise has experienced a recent resurgence in popularity of lately thanks to the release of new games and 2023s
The Super Mario Bros. Movie.
Malware distributed through game installers can be monetized through activities like stealing sensitive information, conducting ransomware attacks, and more, the researchers explained in the post.
Moreover, using game installers to
mine crypto
is an especially popular tactic with threat actors because the powerful hardware commonly associated with gaming provides valuable computing power for mining cryptocurrencies, they said.
Once a user executes the Super-Mario-Bros.exe file, it drops the super-mario-forever-v702e.exe file in the target machines %appdata% directory and initiates execution, which in turn triggers the display of an Installation Wizard to continue to install the program.
Meanwhile, in the background, the NSIS installer discreetly drops the files java.exe and atom.exe

in addition to the Super Mario Forever game within the %appdata% directory, files that the installer proceeds to execute, the researchers said. The java.exe file is actually an XMR miner executable designed to mine the Monero cryptocurrency, while atom.exe delivers Umbral Stealer and serves as a SupremeBot mining client, enabling the miners network connection, receiving mining tasks, and effectively managing the entire mining process, they said.
The XMR miner operates stealthily in the background without the victim knowing, taking up computing resources to mine Monero as well as stealing valuable data from the victims system, including computer name, username, GPU, CPU, and other details, the researchers said. It then transmits the data to a command-and-control (C2) server.
The SupremeBot mining client also performs several nefarious activities. It starts with a POST request to the domain hxxp://silentlegion[.]duckdns[.]org/gate/update[.]php and includes the victim systems CPU and GPU versions as unique identifiers to verify if the client is registered. If the unique identifier is not found, the client sends a POST request to register the client by adding the unique identifier.
Once SupremeBot establishes a client connection, it receives an
XMRig CPU and GPU mining configuration
from the command-and-control (C2) server, then sends another POST request to hxxp://silentlegion[.]duckdns[.]org/gate/config[.]php, containing the miner configuration specific to the victims machine.
The most common-sense way to avoid being compromised by the trojanized Super Mario loader is not to download software from Warez/Torrent websites, the researchers said. This is especially important for users working on corporate networks, in which case a malware infection that occurs from an infected game installer can spread throughout the enterprise.
To reinforce the aforementioned guidance, organizations should provide security awareness and training to employees so they refrain from opening untrusted links and email attachments without first verifying their authenticity, and learn how to spot phishing attacks and untrusted URLs contained within those attacks, they said.
Organizations should also update their overall information security and acceptable usage policies to prohibit downloading and installing
cryptomining software
on end-user systems, the researchers advised.
Blocking URLs from known torrent sites that can be used to spread the malware, and monitoring endpoints and servers for unexpected spikes in CPU and RAM utilization that signal potential malware infection, can also mitigate the propagation of accidentally downloaded malware on corporate systems, the researchers added.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Trojanized Super Mario Installer Goes After Gamer Data