MaaS Appeal: An Infostealer Rises From The Ashes

July 31, 2025, 8:27 p.m.

Description

NOVABLIGHT is a NodeJS-based Malware-as-a-Service (MaaS) information stealer developed by a French-speaking threat group. It's sold as an educational tool but used for credential theft and cryptowallet compromise. The malware features heavy obfuscation, multiple anti-analysis techniques, and various data exfiltration methods. It can disable Windows Defender, sabotage system recovery, and inject malicious code into popular Electron-based applications. NOVABLIGHT employs comprehensive system enumeration, captures screenshots and webcam footage, and steals passwords from various sources. The threat actors use Telegram and Discord for sales and support, with licenses valid for up to a year.

External References

https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes
https://otx.alienvault.com/pulse/688bcc2443b220b3ccb77c5c
Tags
obfuscation
infostealer
anti-analysis
electron
credential theft
data exfiltration
maas
nodejs
2025-07-31
nova sentinel
malicord
novablight

Date

  • Created: July 31, 2025, 8:03 p.m.
  • Published: July 31, 2025, 8:03 p.m.
  • Modified: July 31, 2025, 8:27 p.m.

Indicators

  • ed164ee2eacad0eea9dc4fbe271ee2b2387b59929d73c843281a8d5e94c05d64
  • 97393c27195c58f8e4acc9312a4c36818fe78f2ddce7ccba47f77a5ca42eab65
  • 39f09771d70e96c7b760b3b6a30a015ec5fb6a9dd5bc1e2e609ddf073c2c853d
  • shadow.nova-blight.top
  • bamboulacity.nova-blight.xyz
  • api.nova-blight.top
  • nova-blight.xyz
  • nova-blight.site
Download all indicators here!

Attack Patterns

  • MALICORD
  • Nova Sentinel
  • NOVABLIGHT
  • Sordeal Group