NOVABLIGHT, a NodeJS-based Malware-as-a-Service (MaaS) information stealer, represents a concerning evolution in cybercrime accessibility, allowing virtually anyone to deploy advanced data theft capabilities with minimal technical expertise. This modular approach ensures that the malware remains effective against updated applications while maintaining operational flexibility for threat actors seeking specific target profiles. The malware campaign, initially discovered through fake video game installer downloads, demonstrates the growing trend of cybercriminals leveraging legitimate-seeming applications to distribute malicious payloads. Threat actors behind NOVABLIGHT have strategically positioned their product as an educational tool, despite clear evidence of its malicious intent and commercial distribution through underground marketplaces. NOVABLIGHT’s data exfiltration capabilities extend beyond simple credential theft, incorporating comprehensive system profiling, webcam recording, and targeted application injection. A sophisticated new threat has emerged in the cybercriminal landscape, masquerading as an educational tool while orchestrating large-scale credential theft and wallet compromise operations. The malware’s attack vectors primarily focus on social engineering techniques, with researchers documenting campaigns using fake video game installers as initial access vectors. The malware specifically targets Electron-based applications including Discord, Exodus wallet, and Mullvad VPN client, dynamically fetching injection payloads from [.]top/injections/ endpoints. Additionally, NOVABLIGHT implements file system modifications using the icacls command: icacls "${filePath}" /deny ${currentUser}:(DE,DC) where DE denies delete rights and DC prevents deletion through parent folder operations. The deceptive marketing approach has enabled widespread adoption among cybercriminals seeking ready-made solutions for credential harvesting and cryptocurrency theft. The group demonstrates French-language proficiency in their operational communications, conducting business primarily through Telegram and Discord platforms where they offer annual licenses and provide technical support to their criminal clientele. The malware’s architecture follows a clear pipeline structure, beginning with pre-flight checks that assess the target environment for virtual machines, debugging tools, and security software. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. Elastic analysts identified NOVABLIGHT as the latest creation of the Sordeal Group, the same threat actors responsible for Nova Sentinel and MALICORD. The persistence mechanism incorporates several advanced techniques, including registry manipulation to disable Windows security features and Task Manager access. This approach capitalizes on users’ trust in gaming platforms while delivering a comprehensive data theft payload. The malware’s clipboard monitoring functionality represents one of its most insidious capabilities, continuously scanning for cryptocurrency wallet addresses and PayPal transaction details. One notable example involved the domain [.]com, which prompted users to download what appeared to be a legitimate French-language game installer comparable to recently released Steam titles. The malware attempts to modify the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System by setting the DisableTaskMgr value to 1, effectively preventing users from easily terminating malicious processes. NOVABLIGHT employs a sophisticated multi-stage infection process designed to establish persistent access while evading detection mechanisms. This professional approach to malware distribution has transformed cybercrime from a specialized skill into a readily accessible service. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 21:35:24 +0000