Karter putting a hoodie on his partner

SupremeBot and Mario cross the finish line together

Researchers have reported how popular game installers like Super Mario Games are being used to deliver malware. The malicious components include cryptominers, the SupremeBot mining client, and the open-source Umbral stealer.

The game installers route offers some very distinct advantages to the cybercriminals:

  • The games are very popular and downloads are highly sought after, which increases the chances of people downloading them
  • Game installers are large files which means they can’t be uploaded to most online malware scanners
  • The game install finishes, so the user trusts the installer did what it promised to do and the extras get ignored
  • The targeted systems are high performance machines suitable for playing games. Which means they can be expected to be useful in the intended mining activity

The researchers looked at a trojanized version of a Super Mario game installer which came as an NSIS installer. NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. In this case it was used to combine three executable files, one of which was the legitimate Super Mario Forever game.

But while the victim is going through the steps of the installation wizard for their game, in the background two secretly dropped files are executed by the same installer.

  1. An XMR (Monero) miner which operates stealthily in the background to mine cryptocurrency for the cybercriminal without authorization and while using system resources in amounts that could be harmful
  2. SupremeBot, a mining client which also downloads a file from a Command & Control (C2) server. In this case an information-stealer identified as the Umbral Stealer

The SupremeBot malware uses some techniques to stay under the radar. First it creates a copy of itself called Super-Mario-Bros.exe and drops that in a randomly named subfolder of the ProgramData folder. It also creates a new scheduled task that runs every 15 minutes to run that copy. When that persistence is set up it kills the process and deletes the original file.

The new copy sends the victim system’s CPU and GPU versions as identifiers to a C2 server to verify if the client is registered. If not, the new client is added and receives XMRig CPU and GPU mining configuration details from the C2 server.

When all that is set up it downloads a Themida packed file. Upon execution, this file unpacks itself and loads the Umbral Stealer into the process memory. The Umbral Stealer is a Windows-based information stealer, which is available on GitHub as an open-source project. It uses Discord webhooks to send collected data to the cybercriminal.

The collected data is obtained from the affected system by:

  • Capturing screenshots
  • Retrieving browser passwords and cookies
  • Capturing webcam images
  • Obtaining telegram session files and discord tokens
  • Acquiring Roblox cookies and Minecraft session files
  • Collecting files associated with cryptocurrency wallets


To prevent falling victim, here are some guidelines:

  • Only download from trusted sources
  • Monitor your system for high CPU usage and other performance issues
  • Use an updated and real-time anti-malware protection

C2 servers:



Malwarebytes blocks silentlegion.duckdns.org


Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.