We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Trojan Malware Found in Super Mario Game Installer

Trojan Malware Found in Super Mario Game Installer
Keira Waddell Published on 27th June 2023 Senior Writer

Cybersecurity firm Cyble recently discovered a modified version of the Super Mario 3: Mario Forever game Windows installer that contains trojan malware. Super Mario 3: Mario Forever is a popular free-to-play remake of the classic Nintendo game, known for its updated graphics and modernized gameplay.

The trojanized game installer is believed to be currently circulating on gaming forums and social media groups. It has also been distributed via malvertising and black hat SEO techniques. The installer is disguised as a self-extracting archive executable.

The extracted archive contains three executables: super-mario-forever-v702e.exe (a legitimate Mario game installer), java.exe, and atom.exe. The latter two install themselves discreetly in the victim's AppData directory.

Once installed, the malicious executables carry out their harmful activities. java.exe acts as a Monero miner, gathering hardware information and connecting to gulf.moneroocean.stream to mine Monero.

atom.exe, also known as SupremeBot, is duplicated in the installation directory and scheduled to run every 15 minutes. To avoid detection, the original process is terminated and the file is deleted. SupremeBot establishes a command-and-control connection to transmit information, register the client, and receive Monero mining configurations.

The final payload of the trojanized installer is wime.exe, which contains Umbral Stealer — an open-source C# information stealer. It collects sensitive data from the infected Windows device, including passwords, session cookies, cryptocurrency wallets, and credentials for platforms like Discord, Minecraft, Roblox, and Telegram. It can also capture screenshots and utilize webcams. The pilfered data is stored locally before being sent to the C2 server.

Umbral Stealer evades detection by disabling Windows Defender or adding its own process to the exclusion list. It also modifies the Windows hosts file to block communication between antivirus products and their company sites, reducing their effectiveness.

Those who have recently downloaded the game are advised to scan their computer for any installed malware. If malware is detected, password resets are recommended for sensitive accounts such as banking, financial, cryptocurrency, and email platforms.

Remember to only download games and software from official sources, such as the publisher's website or trusted digital content distribution platforms. Finally, always make sure to scan downloads with antivirus software before launching them and ensure that your security tools are kept up to date.

About the Author

Keira is an experienced cybersecurity and tech writer dedicated to providing comprehensive insights on VPNs, online privacy, and internet censorship.