Super Mario costume
A woman poses with a costumed character of Super Mario during the world's largest computer games fair Gamescom in Cologne. Reuters / WOLFGANG RATTAY


  • Malicious actors have found a way to weaponize a legitimate game installer
  • Now trojanized, installing a game in an device is like opening a pandora's box
  • A cybersecurity firm claims the installer is laced with malware infections, some of which target crypto wallets

A trojanized installer for the fan-favorite game "Super Mario 3: Mario Forever" for Windows has been infecting gamers with a variety of malware infections, and some of these steal personal data, drain crypto wallets and even transform the infected device into a crypto miner.

Over the years and with the number of potential funds to steal, cybercriminals have become creative and recently released a weaponized "Super Mario 3: Mario Forever" installer loaded with malware that hijacks crypto wallets of unsuspecting victims, among other things.

Cybersecurity firm Cyble Research & Intelligence Labs (CRIL) discovered that the legitimate game installer file is laced with an extra payload packed with malicious software that is not only capable of stealing crypto and funds of users but also easily wears out the infected device by allowing a crypto mining software to secretly run in the background.

"CRIL identified a trojanized Super Mario Bros game installer that delivers multiple malicious components, including an XMR miner, SupremeBot mining client, and the Open-source Umbral stealer. The malware files were found bundled with a legitimate installer file of super-mario-forever-v702e," the cyber security firm said in its blog.

The installer is laced with XMR Miner software, which, as pointed out by the cybersecurity firm, silently runs a Monero XMR/USD cryptocurrency miner in the background, eating up users' computing resources, making running apps slower and overall device's function poorer.

The unofficial "Mario" game inspired by the classic "Super Mario" titles, was rolled out in 2004 through the Softendo website and has almost 17 million downloads to date in the CNET platform alone.

Aside from the crypto miner malware, the trojanized "Super Mario" title also comes with a file that allows the download and installation of the malicious software called Umbral Stealer, which according to the cyber security firm, is a "lightweight and efficient information stealer."

Umbral can gather private information, passwords, webcam images and even information on cryptocurrency wallets and targets Ethereum, Zcash, and Bytecoin wallets, among others, and specifically Atomic Wallet, Cyble said.

Atomic Wallet is a non-custodial crypto wallet that suffered an attack a few weeks ago and saw 10% of its users getting their wallets drained or their crypto stolen.

Although the Atomic Wallet hack was earlier linked to the North Korean hacking group Lazarus, nothing has been confirmed yet.

Unfortunately, Cyble did not reveal which hacking group is behind the weaponization of the "Super Mario" game installer.

It is worth noting that "Super Mario 3: Mario Forever" is not a Nintendo game but it is a popular, long-running fan game that basks in the popularity of the "Mario" franchise.