NOVABLIGHT as Educational Tool Attacking Users to Steal Login Credentials and Compromise Wallets

A sophisticated new threat has emerged in the cybercriminal landscape, masquerading as an educational tool while orchestrating large-scale credential theft and wallet compromise operations.

NOVABLIGHT, a NodeJS-based Malware-as-a-Service (MaaS) information stealer, represents a concerning evolution in cybercrime accessibility, allowing virtually anyone to deploy advanced data theft capabilities with minimal technical expertise.

The malware campaign, initially discovered through fake video game installer downloads, demonstrates the growing trend of cybercriminals leveraging legitimate-seeming applications to distribute malicious payloads.

Threat actors behind NOVABLIGHT have strategically positioned their product as an educational tool, despite clear evidence of its malicious intent and commercial distribution through underground marketplaces.

The deceptive marketing approach has enabled widespread adoption among cybercriminals seeking ready-made solutions for credential harvesting and cryptocurrency theft.

Elastic analysts identified NOVABLIGHT as the latest creation of the Sordeal Group, the same threat actors responsible for Nova Sentinel and MALICORD.

The group demonstrates French-language proficiency in their operational communications, conducting business primarily through Telegram and Discord platforms where they offer annual licenses and provide technical support to their criminal clientele.

This professional approach to malware distribution has transformed cybercrime from a specialized skill into a readily accessible service.

The malware’s attack vectors primarily focus on social engineering techniques, with researchers documenting campaigns using fake video game installers as initial access vectors.

One notable example involved the domain http://gonefishe[.]com, which prompted users to download what appeared to be a legitimate French-language game installer comparable to recently released Steam titles.

This approach capitalizes on users’ trust in gaming platforms while delivering a comprehensive data theft payload.

Infection Mechanism and Persistence Architecture

NOVABLIGHT employs a sophisticated multi-stage infection process designed to establish persistent access while evading detection mechanisms.

The malware’s architecture follows a clear pipeline structure, beginning with pre-flight checks that assess the target environment for virtual machines, debugging tools, and security software.

The initial phase, designated as “flow/init,” performs comprehensive system enumeration while establishing communication with command-and-control infrastructure hosted across multiple domains including api.nova-blight[.]top and shadow.nova-blight[.]top.

The persistence mechanism incorporates several advanced techniques, including registry manipulation to disable Windows security features and Task Manager access.

The malware attempts to modify the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System by setting the DisableTaskMgr value to 1, effectively preventing users from easily terminating malicious processes.

Additionally, NOVABLIGHT implements file system modifications using the icacls command: icacls "${filePath}" /deny ${currentUser}:(DE,DC) where DE denies delete rights and DC prevents deletion through parent folder operations.

The malware’s clipboard monitoring functionality represents one of its most insidious capabilities, continuously scanning for cryptocurrency wallet addresses and PayPal transaction details.

When detecting matching patterns, NOVABLIGHT replaces legitimate addresses with attacker-controlled alternatives, as demonstrated in the configuration flag swapWallet.active.

This clipper module ensures that financial transactions initiated by victims are redirected to cybercriminal-controlled accounts, often without immediate detection by the victim.

NOVABLIGHT’s data exfiltration capabilities extend beyond simple credential theft, incorporating comprehensive system profiling, webcam recording, and targeted application injection.

The malware specifically targets Electron-based applications including Discord, Exodus wallet, and Mullvad VPN client, dynamically fetching injection payloads from https://api.nova-blight[.]top/injections/ endpoints.

This modular approach ensures that the malware remains effective against updated applications while maintaining operational flexibility for threat actors seeking specific target profiles.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches