Security researchers have identified a sophisticated new information-stealing malware called NOVABLIGHT that poses as educational software while conducting widespread cybercriminal operations.
Developed by the French-speaking Sordeal Group, this NodeJS-based Malware-as-a-Service (MaaS) platform demonstrates advanced evasion capabilities and targets sensitive user data across multiple applications.
Advanced Technical Capabilities and Distribution Methods
NOVABLIGHT employs a multi-stage attack pipeline built on the Electron framework, incorporating comprehensive anti-analysis measures that check for virtual machine environments, sandbox indicators, and debugging tools.
The malware queries GitHub-hosted blacklists containing blocked IP addresses, hardware IDs, usernames, and system configurations to evade detection by security researchers.
The threat actors distribute NOVABLIGHT through fake video game installers, particularly targeting French-language gaming content that mimics legitimate Steam releases.
Once executed, the malware establishes persistence and begins systematic data harvesting across browsers, cryptocurrency wallets, and communication platforms, including Discord, Exodus wallet, Mullvad VPN, and Atomic wallet.
The malware’s clipboard hijacking functionality actively monitors for cryptocurrency and PayPal addresses, automatically substituting them with attacker-controlled wallets to redirect financial transactions.
Additionally, NOVABLIGHT captures screenshots, webcam footage, Wi-Fi passwords, and system information while attempting to disable Windows Defender and Task Manager to maintain persistence.
Sophisticated Obfuscation and Evasion Techniques
NOVABLIGHT demonstrates advanced code obfuscation through multiple layers, including array mapping, base91 string encoding, and control flow manipulation.
The malware uses a custom alphabet for string decoding and employs proxy variables with rest parameter syntax to obscure function calls and variable access patterns.
The threat actors operate through Telegram and Discord channels, offering API keys valid for up to 12 months and providing users with builder tools to generate customized malware instances.
Despite claiming educational purposes, community members openly share evidence of financial gains from successful attacks, including luxury purchases and money transfers.
Security researchers have identified multiple command-and-control domains, including api. Nova-blight [.]top and shadow. Nova-blight [.]top, along with various file hosting services for data exfiltration.
The malware targets over 100 different applications and services, systematically extracting credentials, session tokens, and sensitive files containing keywords related to finances, authentication, and cryptocurrency.
Growing Threat Landscape Concerns
NOVABLIGHT represents an evolving threat in the cybercriminal ecosystem, with continuous development ensuring sustained relevance.
The malware’s low detection rates on security platforms, combined with its modular architecture and professional distribution model, highlight the increasing sophistication of MaaS operations.
Organizations and individuals should implement robust endpoint protection, maintain updated security software, and exercise caution when downloading software from unofficial sources, particularly gaming-related content that may serve as initial infection vectors.
