Umbral Stealer Discovered in Trojanized Super Mario Installer

Written by

A trojanized Super Mario Bros game installer has been found to contain multiple malicious components, including an XMR miner, the SupremeBot mining client and the open-source Umbral Stealer.

The discovery comes from security researchers at Cyble Research and Intelligence Labs (CRIL), who described the threat in an advisory published last Friday.

According to the technical write-up, the malicious campaign takes advantage of the powerful hardware commonly associated with gaming to mine cryptocurrencies and steal sensitive information.

“The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e,” CRIL explained. “This incident highlights another reason TAs [threat actors] utilize game installers as a delivery mechanism.”

Read more on similar attacks: Trojanized Installers Used to Distribute Bumblebee Malware

The attack chain starts with the trojanized Super Mario Bros game installer, bundled with a legitimate installer file, delivering the malicious payload to unsuspecting users.

Upon execution, the malware silently drops files and initiates their execution. The dropped files include an XMR miner, which utilizes the victim’s computing resources for cryptocurrency mining, and the SupremeBot mining client, responsible for managing the mining process.

The malware also deploys the Umbral Stealer, an open-source information stealer, to pilfer computer name, username, GPU, CPU and other data from the victim’s system. The stolen data is then transmitted to the attacker’s command and control server (C2).

According to CRIL, the combination of mining activities and information theft results in financial losses, system performance degradation and resource depletion.

“As a consequence, both individual users and organizations suffer severe productivity setbacks,” reads the advisory.

To protect against threats like this, the company advised users and organizations to monitor their system performance, implement strict security policies, refrain from downloading software from untrusted sources and utilize reputable antivirus software.

“CRIL maintains vigilant monitoring of the most recent malware variants in circulation, ensuring the continual updating of blogs with actionable intelligence to safeguard users against such attacks,” the advisory concludes.

Editorial image credit: Andrei Armiagov /

What’s hot on Infosecurity Magazine?