Jia Yu ChanElastic Security Labs

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS infostealer developed and sold as a MaaS offering; it is used primarily to steal credentials and compromise cryptowallets.

18 min readMalware analysis
MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT at a glance

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed and sold by a threat group that demonstrates French-language proficiency. This is apparent in their discussions and operational communications on their primary sales and support platforms, Telegram and Discord.

Based on our analysis of the latest released version of NOVABLIGHT, the following code snippet suggests that the Sordeal Group, the group behind Nova Sentinel and MALICORD, is responsible for NOVABLIGHT as well.

Key takeaways

  • NOVABLIGHT is an infostealer described as an educational tool, though Telegram channel messages reveal sensitive information and unredacted screenshots.
  • NOVABLIGHT licenses are valid for up to one year, and binaries can be generated via Telegram or Discord.
  • Heavily obfuscated code with many capabilities.

Discovery

Elastic Security Labs identified multiple campaigns leveraging fake video game installer downloads as an initial access lure for MaaS infections of internet users. In one example, the URL http://gonefishe[.]com prompted the user to download a binary and install a French-language version of a game with a name and description comparable to one recently released on Steam.

Distribution, monetization, and community

The group advertised and sold their product on various online platforms, previously Sellix and Sellpass and currently Billgang.

The group sells an API key, which expires between 1 and 12 months. This key can then be used to build an instance of NOVABLIGHT through a Telegram bot or through Discord.

The group promotes a referral program on their Discord channel with API keys as rewards.

Users get access to a dashboard hosted by the group that presents the information collected from victims. The following domains were identified, though others may exist:

  • api.nova-blight[.]top
  • shadow.nova-blight[.]top
  • nova-blight[.]site
  • nova-blight[.]xyz
  • bamboulacity.nova-blight[.]xyz

Some of the images used in the dashboard panel are hosted in GitHub repositories associated with different accounts, which helped expose more details about the group.

The GitHub account KSCHcuck1 is a pseudonym similar to that of the previous author of MALICORD, a free version of the earliest version of the stealer that was hosted on GitHub under the account KSCH-58 (WEB ARCHIVE LINK). The X account @KSCH_dsc also possessed similarities, and was actively advertising their "best stealer ever released" as recently as 2023.

The following GitHub accounts have been identified in relation to the group:

Their public Telegram channel hosts tutorials and a community of users. In the following image capture, users are sharing screenshots of the build process.

Users of the infostealer are openly sharing images of luxury items and money transfers, which is notable because NOVABLIGHT is described as being solely for educational purposes.

NOVABLIGHT analysis

NOVABLIGHT is a modular and feature-rich information stealer built on NodeJS with the Electron framework. Its capabilities go beyond simple credential theft, incorporating methods for data collection and exfiltration, sandbox detection, and heavy obfuscation.

A notable aspect of the malware's build process is its modular configuration. Although a customer can choose to disable specific features, the underlying code for those functions remains within the final payload; it is dormant and won’t be executed based on the build's configuration flags.

Code snippets in this report are from a non-obfuscated version 2.0 sample, when implementation details match version 2.2 samples, or from our manually de-obfuscated code of a version 2.2 sample when they differ.

Code structure

From initial setup to data theft, the infostealer is organized into a clear, multi-stage pipeline managed by high-level "flow" controllers. The primary stages are:

  • flow/init: Pre-flight checks (running instances, admin privileges, internet connectivity), anti-analysis checks, system info enumeration, establish persistence, etc.
  • flow/injecting: Application injection and patching (Atomic, Mullvad, Discord, …)
  • flow/grabb: Data harvesting
  • flow/ClipBoard: Clipboard hijacking
  • flow/sending: Data exfiltration
  • flow/disable: System sabotage (disable Windows Defender, system anti-reset, broken Internet connectivity, …)
  • flow/cleaning: Post-exfiltration cleanup

For more insights into the code structure, check out this GitHub Gist, which lists the direct dependencies for each of NOVABLIGHT’s core modules and execution flows.

Anti-debug and sandbox detection

NOVABLIGHT incorporates multiple techniques to detect and evade analysis environments, combining environment fingerprinting with active countermeasures. These checks include:

  • Detecting VM-related GPU names (vmware, virtualbox, qemu)
  • Checking for blacklisted usernames (sandbox, test, malware)
  • Identifying VM-specific driver files (balloon.sys, qemu-ga)
  • Checking for low screen resolution and lack of USB devices
  • Querying GitHub for blacklists of IPs, HWIDs, usernames, programs, organizations, GPU names, PC names, and Operating Systems
  • Actively killing known analysis and debugging tools found in a remote list

The blacklists are hosted on GitHub:

Disable Defender & attempts to disable Task Manager

NOVABLIGHT attempts to disable Windows Defender and related Windows security features by downloading and executing a batch script, DisableWD.bat, from a public GitHub repository.

The malware claims to be capable of disabling the Task Manager, making it difficult for a non-technical user to identify and terminate the malicious program. It uses setValues from the regedit-rs package to set the DisableTaskMgr value to 1 under HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System.

However, looking at the regedit-rs repo (v1.0.3 to match), there are no exported functions named setValues, only putValue. This functionality may not work as intended.

Disable internet access

To disrupt the victim's internet connection, the malware employs two distinct methods. The first involves persistently disabling the Wi-Fi adapter by repeatedly resetting it in a rapid loop, utilizing the external npm package wifi-control and its resetWiFi function.

The second method disables the primary “Ethernet” network adapter using the netsh command, running it every 5 seconds to disable re-enabling attempts.

Defeat system recovery

The malware can sabotage system recovery by disabling the Windows Recovery Environment (reagentc /disable) and deleting all Volume Shadow Copies (vssadmin delete shadows /all) when the antireset flag is enabled in the configuration.

Blocking file deletion

Another system sabotage function that might be apparent to the victim involves making the malware’s own executable file undeletable by modifying its security permissions through icacls “${filePath}” /deny ${currentUser}:(DE,DC) where DE denies delete rights and DC prevents deletion via the parent folder and optionally creating a pop-up message box containing a “troll” message.

Before locking itself, it also executes a PowerShell command to remove the victim’s account from the following system groups: Administrators, Power Users, Remote Desktop Users, Administrateurs.

Clipboard address substitution

The malware implements a "clipper" module that actively monitors the clipboard of the machine for any Crypto or Paypal addresses and replaces them with addresses defined in the configuration, if the user who built the payload did not provide their own addresses, the malware defaults to a hardcoded set, presumably controlled by the developers to capture funds from their less experienced users.

Electron application injections

NOVABLIGHT can inject malicious code into several popular Electron-based applications. The payloads are dynamically fetched from the endpoint https://api.nova-blight[.]top/injections/*targeted_application*/*some_key*, targeting applications such as:

  • Discord client
  • Exodus wallet
  • Mullvad VPN client
  • Atomic wallet
  • Mailspring email client

We were able to retrieve all of the modules from a public GitHub repository.

The injection implementation is a classic example of Electron App repacking: unpacking the ASAR file, rewriting any targeted source files, then repacking it. Looking at an example involving the Mullvad client, it first unpacks Program Files\\Mullvad VPN\\resources\\app.asar into a temporary directory, fetches a backdoored version of account.js from https://api.nova-blight[.]top/injections/mullvad/dVukBEtL8rW2PDgkwdwfbNSdG3imwU8bZhYUygzthir66sXXUuyURunOin9s, overwrites the source file account.js, and finally repacks it. While it might still work for older versions of Mullvad such as 2025.4, this does not seem to work on the latest version of Mullvad.

In a similar case for the Exodus client, the NOVABLIGHT developers modified the setPassphrase function in the main module of the Exodus application, with additional credential-stealing functionalities.
This is what main/index.js looks like in a legitimate release of Exodus 25.28.4:

In the trojanized index.js, user-entered passphrases are exfiltrated via configurable Discord webhooks and Telegram - using either the official Telegram API or a custom Telegram API proxy.

Chrome sensitive data extraction

For targeting Chromium-based browsers (Brave, Chrome, Edge) running on version 137, the malware downloads a zip file containing a Chrome data decryption tool from https://github.com/Hyutop/pandakmc-auto-vote/blob/main/bin.zip.

The GitHub repository attempts to masquerade as a Minecraft voting management tool.

However, the zip file bin.zip contains the compiled code (decrypt.exe and chrome_decrypt.dll) of version 0.11.0 of the Chrome App-bound decrypter PoC project by xaitax.

System enumeration

Once active, NOVABLIGHT executes a comprehensive suite of system enumeration functions designed to build a complete profile of the victim's machine and user activity. Each module targets a specific piece of information, which is then saved to a local directory before being uploaded to the command-and-control server. Detection engineers should note the specific implementations of each technique, and which data source(s) provide sufficient visibility.

  • captureSystemInfo(): Gathers extensive hardware and software specifications to fingerprint the device. This includes the Hardware ID (HWID), CPU and GPU models, RAM size, disk information, Windows OS version, and a list of all connected USB devices.
  • Output: *configured_path*/System Info.txt

  • captureScreen(): Captures a full screenshot of the victim's desktop, providing immediate insight into the user's current activity.
    • Method: Utilizes the screenshot-desktop library.
    • Output: A timestamped image file (e.g., configured_path/hostname_2025-10-26_14-30-00.png`).
  • captureTaskList(): Obtains a list of all currently running processes for situational awareness, allowing the attacker to see what applications and security tools are active.
    • Method: Executes the command tasklist /FO CSV /NH.
    • Output: *configured_path*/TaskManagerInfo.txt
  • captureAVDetails(): Identifies the installed antivirus or endpoint protection product by querying the Windows Security Center.
    • Method: Executes the PowerShell command Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Format-List
    • Output: *configured_path*/Avdetails.txt
  • captureClipboardContent(): Dumps the current content of the user's clipboard, which can contain sensitive, transient information like passwords or copied messages.
    • Method: Executes the PowerShell command Get-Clipboard.
    • Output: *configured_path*/Clipboard.txt
  • captureWebcamVideo(): Covertly records a video using the system's primary webcam, providing visual intelligence on the victim and their environment.
    • Method: Leverages the direct-synch-show library for video capture.
    • Output: *configured_path*/Bighead.avi
  • captureWifiPasswords(): Exfiltrates the passwords for all saved Wi-Fi networks on the device, allowing for potential lateral movement or access to other networks the victim uses.
    • Method: Executes the command netsh wlan show profile *wifi_ssid* key=clear for each profile.
    • Output: *configured_path*/WifiPasswords.txt
  • getFilesUrgents: This functionality exfiltrate files on disk according to a set of keywords as follow: backup, default, code, discord, token, passw, mdp, motdepasse, mot_de_passe, login, secret, account, acount, apacht, banque, bank, matamask, wallet, crypto, exdous, 2fa, a1f, memo, compone, finance, seecret, credit, cni, these files are archived as files.zip then sent to the C2.

Data exfiltration

There are 3 channels for the stolen data: the official web panel owned by the NOVABLIGHT group, the Discord webhook API, and the Telegram API. The status of these channels is uncertain, as the main proxy API and web panel are currently down, which may disrupt the functionality of the Discord and Telegram channels if they rely on the same proxy infrastructure.

The web panel was once the official exfiltration channel, as it was advertised as their primary data management platform.

The Telegram implementation first tries to send the data to a configured proxy URL, the code checks if the URL contains the string req in this case https://bamboulacity.nova-blight[.]xyz/req/dVukBEtL8rW2PDgkwdwfbNSdG3imwU8bZhYUygzthir66sXXUuyURunOin9s.

If the proxy URL is not configured or does not meet the condition, the module falls back to communicating directly with the official Telegram API (at https://api.telegram[.]org/bot*token*/sendMessage) using a configured userId, chatId and botToken to send the stolen data.

Unlike the Telegram module, the Discord webhook implementation is much simpler. It utilizes a single URL for exfiltration with no fallback mechanism. The analyzed samples consistently used the custom proxy URL for this purpose.

NOVABLIGHT employs a redundant and multi-tiered infrastructure. Instead of relying on a single upload host, which would create a single point of failure, the malware leverages a combination of legitimate third-party file-hosting services and its own dedicated backend. The following is the extracted list of domains and endpoints:

  • https://bashupload[.]com
  • https://litterbox.catbox[.]moe/resources/internals/api.php
  • https://tmpfiles[.]org/api/v1/upload
  • https://oshi[.]at/
  • http://sendfile[.]su/
  • https://wsend[.]net
  • https://api.gofile[.]io/servers
  • https://gofile[.]io/uploadFiles
  • https://rdmfile[.]eu/api/upload
  • https://bamboulacity.nova-blight[.]xyz/file/

Targeted data

NOVABLIGHT executes targeted routines designed to steal credentials and session files from a specific list of installed software. The curated list is available in this GitHub Gist.

Obfuscation techniques

Array mapping

The first technique to tackle is the malware’s use of array mapping. The script initializes a single large global array __p_6Aeb_dlrArray with values of different types and encoding, which accounts for nearly all literal values used in the script.

After substituting array index references, many small string chunks that make up a full string are split and concatenated at runtime, but at this stage, the NOVABLIGHT versioning number can be identified easily.

String encoding

The second technique used to hide strings is the usage of base91 encoding. The function wrapper __p_xIFu_MAIN_STR is called with an integer argument.

The integer is an index of a secondary array mapping __p_9sMm_array that contains encoded strings. It retrieves the encoded string and passes it to the decoding routine __p_xIFu_MAIN_STR_decode.

__p_xIFu_MAIN_STR_decode will then decode it using a custom alphabet:
vFAjbQox\>5?4K$m=83GYu.nBIh\<drPaN\^@%Hk:D_sSyz"ER9/p,(*JwtfO)iUl&C\[~\}\{|Z+gX1MqL;60!e]T#2cVW7 and return the decoded string.

Access pattern obfuscation

Instead of accessing objects and functions directly, the code uses intermediate flattened “proxy” objects with mangled keys, wrapping objects in another layer of objects to hide the original access patterns.

For example, the function __p_LQ1f_flat_… is passed a flat object __p_w3Th_flat_object. This object contains 3 get accessors for properties, one of which returns the disableNetwork flag retrieved from the config, and a wrapper for a dispatcher call (__p_jGTR_dispatcher_26). Throughout the code, there is a pattern where the property names start with empretecerian.js, which happens to also be the script file’s name. The callee function can then access the actual objects and functions through this flat object populated by the caller.

Control flow obfuscation

Some of the code’s execution path is routed through a central dispatcher, __p_jGTR_dispatcher_26, in which the first argument name takes a short ID string.

Each ID is mapped to a distinct function. For example, the ID jgqatJ is referenced by the modules/init/Troll.js module and it is responsible for a “troll” popup message box.

Proxy variables

First, the obfuscation transforms function syntax to “rest parameters syntax” which replaces the parameters with an array that stores variable values instead of direct variables, the code then references the array with numerical values. For instance, the function __p_xIFu_MAIN_STR_decode is not called with direct parameters. Instead, its arguments are first placed into the __p_A5wG_varMask array (line 22), and the function is programmed to retrieve them from predefined indices. For example, at line 25, the index -36 of the array stores the index of the character "c" in a string stored in __p_A5wG_varMask[171].

NOVABLIGHT and MITRE ATT&CK

Elastic uses the MITRE ATT&CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.

Tactics

Techniques

Conclusion

NOVABLIGHT shows how even lesser-known malware can make an impact. By offering a polished, easy-to-use tool through platforms like Telegram and Discord, its creators have made it simple for anyone to get involved in cybercrime.

Furthermore, this threat is not static. Our analysis confirms that NOVABLIGHT is under continuous and active development. This ongoing evolution ensures that NOVABLIGHT will remain a persistent and relevant threat for the foreseeable future.

Detecting NOVABLIGHT

YARA

Elastic Security has created YARA rules to identify this activity.

rule Windows_Infostealer_NovaBlight {
    meta:
        author = "Elastic Security"
        creation_date = "2025-07-18"
        last_modified = "2025-07-28"
        os = "Windows"
        arch = "x86"
        category_type = "Infostealer"
        family = "NovaBlight"
        threat_name = "Windows.Infostealer.NovaBlight"
        reference_sample = "d806d6b5811965e745fd444b8e57f2648780cc23db9aa2c1675bc9d18530ab73"

    strings:
        $a1 = "C:\\Users\\Administrateur\\Desktop\\Nova\\"
        $a2 = "[+] Recording..." fullword
        $a3 = "[+] Capture start" fullword
    condition:
        all of them
}

Observations

The following observables were discussed in this research.

ObservableTypeNameReference
ed164ee2eacad0eea9dc4fbe271ee2b2387b59929d73c843281a8d5e94c05d64SHA-256NOVABLIGHT VERSION 2.2
39f09771d70e96c7b760b3b6a30a015ec5fb6a9dd5bc1e2e609ddf073c2c853dSHA-256NOVABLIGHT VERSION 2.1
97393c27195c58f8e4acc9312a4c36818fe78f2ddce7ccba47f77a5ca42eab65SHA-256NOVABLIGHT VERSION 2.0
api.nova-blight[.]topDOMAINNOVABLIGHT dashboard
shadow.nova-blight[.]topDOMAINNOVABLIGHT dashboard
nova-blight[.]siteDOMAINNOVABLIGHT dashboard
nova-blight[.]xyzDOMAINNOVABLIGHT dashboard
bamboulacity.nova-blight[.]xyzDOMAINNOVABLIGHT dashboard

References

The following were referenced throughout the above research:

Share this article

TwitterFacebookLinkedInReddit