A new and rapidly evolving information stealer, NOVABLIGHT, is leveraging popular messaging platforms Telegram and Discord both for distribution and operational support, posing as an “educational tool” but functioning as a formidable threat to internet users.
Research reveals the malware is the work of the Sordeal Group, a threat actor already associated with the development of Nova Sentinel and MALICORD, and well-versed in French-language communication and cybercriminal tactics.
Stealthy Distribution and Monetization
NOVABLIGHT’s stealthy distribution model utilizes lures such as fake video game installers, including French-language repackaged releases imitating newly launched Steam titles, to achieve initial infection.
Domains such as gonefishe[.]com have featured as download sources, directing users to install compromised binaries.
The infostealer is commercialized as a Malware-as-a-Service (MaaS), with varying license durations and easy API key-based instancing available via Telegram bots or Discord channels.
The malware’s public-facing image is further obfuscated by claims to serve exclusively educational purposes, despite Telegram screenshots indicating real-world criminal outcomes such as luxury item purchases and large bank transfers.
The operators have migrated through multiple online payment processors, recently settling on Billgang, reflecting consistent adaptation to takedowns and scrutiny.
Users obtain access keys rewarded even through a referral program, and control their deployment via a centralized dashboard utilizing a mix of self-hosted domains and mainstream file-sharing platforms for exfiltration.
Built on NodeJS and Electron, NOVABLIGHT boasts extensive modularity a customer’s build can selectively activate features, but unused functionalities remain dormant within the payload, complicating detection and forensics.
The malware’s execution follows a multi-stage flow: initialization (system checks/persistence), injection (app repacking and patching), data collection, clipboard hijacking (“clipping” crypto and PayPal addresses), exfiltration by several redundant channels, and post-theft cleanup.
Defensive measures are actively countered by advanced anti-sandbox tactics, including hardware and software fingerprinting, blacklists retrieved from attacker-controlled GitHub repositories, and process-killing routines targeting analysis tools.
The malware also attempts to disable Windows Defender, Task Manager, and even internet connectivity, along with removing the victim’s administrative rights and obstructing remediation through system-level sabotage.
Targeting Credentials and System Artifacts
A defining feature of NOVABLIGHT is its aggressive campaign for credential theft and crypto wallet interception.
According to an Elastic Security Labs report, the malware performs code injection attacks on Electron-based applications such as Discord, Atomic, Exodus, and Mullvad VPN, often fetching “patched” modules from attacker servers or public GitHub repositories.
Chrome and Chromium-based browsers are specifically targeted for sensitive data extraction using custom decryption utilities disguised as legitimate software.
Comprehensive system profiling is performed collecting hardware, network, running processes, installed security products, clipboard content, collected screenshots, webcam footage, and saved Wi-Fi passwords.
High-value files matching certain financial or credential-related keywords are harvested and exfiltrated, supporting broad criminal monetization goals.
Data is sent to the attacker’s dashboard, through Telegram bots (via proxy or direct Telegram API), Discord webhooks, and a mix of cloud storage/upload services, making data recovery and containment difficult.
With its Genesis in the French-speaking cybercrime ecosystem, NOVABLIGHT demonstrates rapid iteration and increasing sophistication new features are regularly deployed, code remains heavily obfuscated by techniques including array mapping, custom string encodings, control flow flattening, and proxy variable routing.
Detection remains challenging due to its low antivirus signature rates, obfuscated code, and modular payload configurations. Nonetheless, security vendors have started deploying YARA rules and monitoring related infrastructure.
As NOVABLIGHT matures and its ecosystem broadens, organizations and individuals are reminded that even “lesser-known” tools can become pervasive threats particularly when packaged as turnkey crimeware and promoted through user-friendly, community-centric models.
Indicators of Compromise (IOC)
| Type | Name/Value | Description |
|---|---|---|
| SHA-256 | ed164ee2eacad0eea9dc4fbe271ee2b2387b59929d73c843281a8d5e94c05d64 | NOVABLIGHT v2.2 Sample |
| SHA-256 | 39f09771d70e96c7b760b3b6a30a015ec5fb6a9dd5bc1e2e609ddf073c2c853d | NOVABLIGHT v2.1 Sample |
| SHA-256 | 97393c27195c58f8e4acc9312a4c36818fe78f2ddce7ccba47f77a5ca42eab65 | NOVABLIGHT v2.0 Sample |
| DOMAIN | api.nova-blight[.]top | NOVABLIGHT Dashboard |
| DOMAIN | shadow.nova-blight[.]top | NOVABLIGHT Dashboard |
| DOMAIN | nova-blight[.]site | NOVABLIGHT Dashboard |
| DOMAIN | nova-blight[.]xyz | NOVABLIGHT Dashboard |
| DOMAIN | bamboulacity.nova-blight[.]xyz | NOVABLIGHT Dashboard |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
