A significant new cybersecurity threat has been identified by Elastic Security Labs, a Malware-as-a-Service (MaaS) infostealer called NOVABLIGHT. Developed and sold by a French-language threat actor known as the Sordeal Group, the malware is deceptively marketed on platforms like Telegram and Discord as an “educational tool.” However, analysis reveals its true nature as a potent, modular malware designed for comprehensive data theft. The group’s operational tactics, including luring victims with malicious game installers mimicking recent releases, openly contradict their educational claims and expose the software’s malicious intent to steal sensitive information such as login credentials and cryptocurrency wallet data.
NOVABLIGHT is a NodeJS-based malware built on the Electron framework, enabling a multi-stage attack pipeline. Upon execution, it performs pre-flight checks and employs anti-analysis measures, including sandbox detection, to evade security researchers. To make detection and analysis exceptionally challenging, its developers have integrated heavy obfuscation techniques, such as array mapping, base91 string encoding, and complex control flow obfuscation. These sophisticated defense evasion tactics highlight the malware’s design for stealth and persistence within a compromised system, allowing it to proceed with its data harvesting and exfiltration stages undetected.
The malware’s primary function is to steal valuable information by targeting popular applications and user data. It specifically attacks other Electron-based applications like Discord and the Exodus and Atomic crypto wallets by injecting malicious code to exfiltrate credentials through configurable Discord webhooks and Telegram APIs. Furthermore, NOVABLIGHT employs clipboard hijacking, a technique where it monitors the user’s clipboard and automatically substitutes copied cryptocurrency wallet addresses with one belonging to the attacker, thereby redirecting financial transactions. It also downloads supplementary tools designed to decrypt and steal sensitive data stored in Chromium-based browsers, maximizing its data theft capabilities.
The Sordeal Group operates NOVABLIGHT as a commercial enterprise, monetizing it through a subscription-based model. Aspiring cybercriminals can purchase API keys with validity ranging from one to twelve months, which are then used to generate unique malware instances via Telegram bots or Discord channels. The group provides customers with a dashboard, hosted on domains like api.nova-blight[.]top, to manage the stolen data they collect. Despite the pretense of being an educational service, interactions within the malware’s community channels on Telegram tell a different story, with users sharing screenshots of luxury purchases and financial gains made from their illicit activities.
NOVABLIGHT is engineered for longevity and resilience, utilizing a distributed infrastructure that combines third-party file-hosting services with dedicated backend servers for command-and-control and data exfiltration. This structure ensures operational continuity even if parts of its network are taken down. Elastic Security Labs confirms that the malware is under active development, with frequent updates enhancing its features and ensuring it remains a relevant and persistent threat. Its tactics align with multiple categories in the MITRE ATT&CK framework—including execution, persistence, defense evasion, and credential access—underscoring the need for advanced security solutions and robust detection mechanisms, such as specific YARA rules, to effectively identify and mitigate this sophisticated infostealer.
Reference:
