NOVABLIGHT is a sophisticated NodeJS-based Malware-as-a-Service (MaaS) infostealer developed by a French-speaking threat group known as the Sordeal Group. Although marketed as an educational tool, it is actively used for malicious purposes including credential theft and compromise of cryptocurrency wallets. The malware employs heavy code obfuscation and multiple anti-analysis techniques to evade detection and hinder reverse engineering efforts. It targets Windows systems and is capable of disabling Windows Defender, sabotaging system recovery mechanisms, and injecting malicious code into popular Electron-based applications, which are widely used for desktop apps built on web technologies. NOVABLIGHT performs comprehensive system enumeration to gather detailed information about the infected host environment. It captures screenshots and webcam footage, enabling visual espionage. The malware steals passwords from various sources, including browsers and other credential stores, and exfiltrates data using multiple methods to avoid network detection. The threat actors behind NOVABLIGHT use Telegram and Discord platforms for sales and customer support, offering licenses valid up to one year, which facilitates widespread distribution and ongoing updates. Indicators of compromise include specific file hashes and domains associated with the malware infrastructure. While no known exploits in the wild have been reported yet, the malware’s capabilities and MaaS model make it a potent threat, especially for organizations with Electron-based applications and users with cryptocurrency assets. The malware’s use of anti-analysis and defense evasion techniques increases the difficulty of detection and remediation.

For European organizations, NOVABLIGHT poses a significant risk to confidentiality and integrity of sensitive information. Credential theft can lead to unauthorized access to corporate networks, email accounts, and cloud services, potentially resulting in data breaches and lateral movement within networks. The capability to compromise cryptocurrency wallets is particularly relevant for financial institutions, fintech companies, and any organization or individual involved in digital asset management. Disabling Windows Defender and sabotaging system recovery can prolong infection duration and complicate incident response efforts. The injection into Electron-based applications threatens a broad range of software commonly used in enterprise environments, increasing the attack surface. The malware’s ability to capture screenshots and webcam footage raises privacy concerns and could lead to espionage or blackmail. The MaaS distribution model lowers the barrier for cybercriminals to deploy this malware, potentially increasing infection rates across Europe. Organizations with remote or hybrid workforces using Electron apps or handling cryptocurrency are especially vulnerable. The threat could disrupt business operations, cause financial losses, and damage reputations if exploited successfully.

European organizations should implement targeted defenses against NOVABLIGHT by: 1) Enforcing strict application control policies to prevent unauthorized execution of NodeJS-based scripts and unknown Electron app modifications. 2) Employing advanced endpoint detection and response (EDR) solutions capable of detecting obfuscated malware behavior and anti-analysis techniques. 3) Regularly updating and hardening Windows Defender and system recovery options to prevent tampering. 4) Monitoring network traffic for connections to known malicious domains associated with NOVABLIGHT infrastructure and blocking them at the firewall or DNS level. 5) Conducting regular credential audits and enforcing multi-factor authentication (MFA) to reduce the impact of stolen credentials. 6) Educating users about phishing and social engineering tactics that may deliver the malware. 7) Restricting webcam and screenshot permissions for applications to minimize data leakage. 8) Implementing threat hunting activities focused on indicators of compromise such as the provided hashes and domains. 9) Isolating and monitoring Electron-based applications for suspicious code injections or abnormal behavior. 10) Collaborating with threat intelligence sharing platforms to stay updated on emerging variants and tactics related to NOVABLIGHT.