NOVABLIGHT: New NodeJS Infostealer-as-a-Service Unmasked, Fueled by Fake Games & Disguised as “Educational”

Elastic Security Labs has exposed the inner workings of NOVABLIGHT, a highly modular, NodeJS-based Malware-as-a-Service (MaaS) information stealer tied to the French-speaking Sordeal Group—the same threat actors behind malware like Nova Sentinel and MALICORD.

Marketed disingenuously as an “educational tool,” NOVABLIGHT is anything but benign. With active distribution via Telegram, Discord, and underground marketplaces like Billgang, it enables even amateur threat actors to launch fully weaponized campaigns with a few clicks.

“Users of the infostealer are openly sharing images of luxury items and money transfers, which is notable because NOVABLIGHT is described as being solely for educational purposes,” notes Elastic Security Labs.

Elastic researchers uncovered multiple NOVABLIGHT campaigns that exploit fake video game installers as their infection vector. In one instance, victims were lured through a spoofed site—http://gonefishe[.]com—which prompted downloads of French-localized games mimicking recent Steam releases.

Buyers of NOVABLIGHT receive an API key (valid for 1 to 12 months) and a builder bot hosted on Discord or Telegram. A dashboard presents stolen data retrieved from infected victims via domains like:

• api.nova-blight[.]top
• shadow.nova-blight[.]top
• bamboulacity.nova-blight[.]xyz

The dashboard includes screenshots, system logs, and browser cookies—giving cybercriminals real-time access to victims’ digital lives.

The malware’s pipeline includes modules for:

Clipboard hijacking, stealing crypto wallet addresses and replacing them with attacker-controlled ones.

• Webcam spying using the victim’s default camera.
• Credential theft from Discord, Chrome, Exodus wallet, and more.
• System sabotage, including disabling Task Manager, Wi-Fi, and Windows Defender.

Elastic’s analysts describe it as a “modular and feature-rich information stealer… with anti-analysis checks, sandbox detection, and heavy obfuscation.”

To remain undetected, NOVABLIGHT executes anti-VM and anti-debugging routines. It blacklists VMs by detecting known drivers (e.g., qemu-ga, balloon.sys) and profiles the system environment. More concerning is its sabotage functionality:

“Before locking itself, it also executes a PowerShell command to remove the victim’s account from system groups: Administrators, Power Users, Remote Desktop Users…”

The malware also makes itself undeletable by denying the user delete permissions using Windows’ icacls utility.

Electron-based apps like Discord, Mullvad VPN, Atomic Wallet, and Mailspring are repacked with malicious scripts. For example, the Mullvad client is backdoored via a modified account.js, while Exodus Wallet sees its password-capturing function altered to send credentials over Discord and Telegram webhooks.

For Chrome, it fetches a decryption tool from GitHub disguised as a Minecraft vote manager to extract sensitive browser data.

Stolen data is sent via:

• Telegram bots and proxies (bamboulacity.nova-blight[.]xyz)
• Discord webhooks
• File-hosting services like gofile[.]io, oshi[.]at, and bashupload[.]com

The malware also collects a range of files based on keywords like wallet, passw, 2fa, crypto, and cni, packaging them into files.zip for export.

NOVABLIGHT’s code is highly obfuscated using:

• Array mapping and string encoding (base91)
• Proxy variable flattening
• Control flow redirection via dispatcher functions

Elastic reports: “Each ID is mapped to a distinct function. For example, the ID jgqatJ is responsible for a ‘troll’ popup message box.”

Related Posts:

• Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
• Warning: Discord’s API Exploited for Malicious Takeover
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit