{
	"id": "69bffc8c-de39-44fd-b84e-c2980a1f6ad1",
	"created_at": "2026-04-06T00:18:28.411718Z",
	"updated_at": "2026-04-10T03:19:58.079429Z",
	"deleted_at": null,
	"sha1_hash": "0c347dc457bbb69bb3f296c4a72f70325936d902",
	"title": "Nova Infostealer Malware | Sordeal Stealer | Cyfirma",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3833789,
	"plain_text": "Nova Infostealer Malware | Sordeal Stealer | Cyfirma\r\nArchived: 2026-04-05 17:43:23 UTC\r\nPublished On : 2023-11-29\r\nEXECUTIVE SUMMARY\r\nThe report highlights a surge in malicious activities by Malware-as-a-service (MaaS) operators Sordeal –\r\nparticularly with their new malware ‘Nova’ – since at least September 2023. It employs extensive system\r\ninformation-gathering, registry modifications, and uses techniques to disable kernel-level logs for stealth. The\r\nmalware focuses on persistence, credential harvesting from browsers and applications, and recently exhibits\r\nalarming capabilities like Discord injection and targeting crypto wallets. Free key giveaways to access Nova’s full\r\nversion contribute to its potential widespread use among black hats.\r\nINTRODUCTION\r\nWith the stealer logs industry becoming more lucrative amongst threat actors, more and more malware developers\r\nhave started developing sophisticated information stealers. Most information stealers are distributed using social\r\nengineering, phishing, and malvertising campaigns to collect sensitive information from a large number of targets.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 1 of 21\n\nThis information is sorted based on multiple criteria such as with/without cookies, geography, corporate/non\r\ncorporate, and further sold as stealer logs either on private clouds or on popular sites on the Russian Market.\r\nEarlier this year, researchers discovered that the main.py file in the Sordeal repository (which has since been\r\ndeleted) injected malicious Node.js code into the Discord %APPDATA%/Discord/app-\r\n(versions)/modules/discord_desktop_core/index.js module. The index[.]js file was responsible for stealing the\r\nDiscord session token and collecting information about the victim. The catch here is – the attacker received this\r\ninformation, but a copy was also sent to hxxps[:]//panel[.]sordeal[.]com[:]3000/ using a POST method. After this\r\nwas uncovered, the repository was deleted.\r\nIn early November 2023, Sordeal posted a message on their Telegram channel announcing the launch of Malicord,\r\na free version of their infostealer. Interestingly, they were asking for stars on the repository in exchange for free\r\ntrials. 2 weeks later, the repository was deleted too, indicating that it might have been dual hooked to collect a\r\ncopy of stealer logs. In this report, we will discuss the behavior of their full version infostealer known as Nova.\r\nKEY FINDINGS\r\n1. Sordeal has been active since early 2023, but we have observed heightened activities since September.\r\n2. Free key giveaways to full version of Nova are attracting a lot of black hats.\r\n3. Developers specialize in incorporating anti-forensic and defense evasion techniques in their malware.\r\n4. Developers are adept with JavaScript and use the open-source Electron framework for certain malware utilities.\r\n5. The malware relies on the use of AutoIT to call windows APIs, something that is common with numerous other\r\nmalwares seen of late.\r\n6. The malware interestingly targets ICQ, which is a messenger commonly used in Russian-speaking countries.\r\nBehavior Analysis\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 2 of 21\n\nThe sample is packed with an NSIS (Nullsoft Scriptable Install System) based crypter. Once executed, the sample\r\ndrops app-64.7z in the temp directory, unzips the archive and further executes the file inside the archive named\r\nwin32snapshot.exe. This file further downloads AutoIT, Microsoft Visual C++ Redistributable and Java.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 3 of 21\n\nWhile Microsoft Visual C++ Redistributable and Java are for code dependencies, let’s talk about AutoIT: this\r\nlanguage has been developed to automate actions in a Windows based environment, and means that a user can\r\nselect Windows, move the mouse, click on buttons etc., however, AutoIt can also work at a lower level, and use\r\nany Windows API via the DllCall() function. This makes it a lucrative option for threat actors.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 4 of 21\n\nThe malware tries to load missing DLLs and creates processes in suspended mode for code injection.\r\nThe malware uses utilities like wmic to gather various system information, including logical disk size, total\r\nphysical memory, CPU information, UUID etc.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 5 of 21\n\nThe malware checks the online IP address of the machine, indicating an attempt to fingerprint victims.\r\nThe registry contains crucial information about the system, including configuration settings. The malware may be\r\nlooking for specific values to adapt its behavior based on the system it infects.\r\nThe first command querying BackupProductKeyDefault suggests an interest in the backup product key\r\nrelated to software protection. Malware might attempt to extract and exfiltrate product keys for\r\nunauthorized use or resale.\r\nThe second command querying ProductName retrieves the product name associated with the Windows\r\ninstallation. This information can be useful for the malware to profile the target system.\r\nThe malware uses cmd.exe and powershell to interact with the registry extensively. It queries and modifies\r\nregistry keys related to the system for persistence and configuration.\r\nNotable Registry Modifications:\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 6 of 21\n\nThis key is within the “ROOT\\Certificates” branch of the Windows Registry. The name of the added value is\r\n“Blob,” suggesting that binary data or a binary blob (a collection of binary data) is being stored in this registry\r\nentry.\r\nThis indicates the installation of a root certificate by the malware, which would allow an attacker to masquerade\r\nmalicious files as valid signed components from any entity (for example, Microsoft). It could also allow an\r\nattacker to decrypt SSL traffic.\r\nAmongst many other registry changes, win32snapshot[.]exe (md5: 13639e7f3707d05d90798d21d404eccc), sets\r\nthe “Circular Kernel Context Logger” registry key value to “0”.\r\nAs a result, events related to kernel-mode operations, system calls, and other low-level activities will no longer be\r\nrecorded. It is important to highlight that security software often relies on kernel-level logging to detect and\r\nrespond to abnormal or malicious activities, and disabling the Circular Kernel Context Logger reduces the\r\nvisibility into these activities.\r\nThe malware drops Update[.]exe (renamed version of win32snapshot[.]exe) into the startup folder, indicating an\r\nattempt to achieve persistence.\r\nWhen the previous technique is combined with the malware’s ability to place itself in the startup directory, it\r\nenables the malware to maintain persistence on the infected system without leaving a trace in the kernel-level logs.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 7 of 21\n\nThe malware uses this open-source utility to capture the screenshot of the target machine.\r\nThe malware targets multiple browsers, including the most used Edge, Chrome and Firefox.\r\nAdditionally, the malware invokes reg.exe to harvest information related to WinSCP, targeting stored sessions and\r\npasswords.\r\nThe Chrome configuration is stored in the local AppData directory in a file called “Local State”. This\r\nconfiguration contains an entry called “os_crypt,” which has a sub-entry called “encrypted_key.” The\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 8 of 21\n\n“encrypted_key” is used by Chrome to encrypt saved login data. Below we can see that the malware tries to access\r\nthat.\r\nIt abuses the inbuilt Windows utility Data Protection Application Programming Interface (DPAPI) to perform data\r\ndecryption. This API contains a class called ProtectedData, that contains two wrappers: “Protect” and\r\n“Unprotect.” The infostealer passes a byte array of the encrypted data to the “Unprotect” wrapper, which\r\nsubsequently returns a byte array of decrypted data.\r\nAfter decryption, the malware creates a folder in the temp directory and dumps all the decrypted information in\r\nthe respective files.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 9 of 21\n\nRECENT DEVELOPMENTS\r\nThe threat actor recently created a new repository to enhance and test the injection features of Nova. Injection\r\ntypically refers to the act of injecting code or manipulating the memory space of a running application.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 10 of 21\n\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 11 of 21\n\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 12 of 21\n\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 13 of 21\n\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 14 of 21\n\nBased on the (under development) source code, it is expected that Nova will soon be able to (with respect to\r\nDiscord injection) notify the threat actor when victims log in/log out, change their password and email address,\r\ndisable 2FA and steal backup recovery codes, and send complete credit card details of the user to the attacker.\r\nIn addition to Discord injection, the MaaS operators are also working on adding capabilities that will enable the\r\nmalware to inject malicious code into crypto wallets such as Exodus and Atomic. Below is what an attacker using\r\nNova would see at their end.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM)\r\nRecently, we have observed two repositories gaining traction amongst threat actors; one contains the builder for\r\nNova Sentinel (paid version), and the other is a builder for an information stealer provided at no cost. The MaaS\r\noperators have been using GitHub, like many other malware developers out there.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 15 of 21\n\nThe builder needs a key to run, and the MaaS operators share free keys quite often.\r\nNeedless to say, this is gaining a lot of traction amongst black hats, who have the motivation but lack the funds.\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 16 of 21\n\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 17 of 21\n\nCONCLUSION\r\nThe MaaS operators behind Nova demonstrate a high level of sophistication, employing advanced techniques in\r\ntheir malware. Nova’s continuous development, coupled with the distribution of free keys, is music to the ears for\r\na black hat. Organizations must enhance their threat detection capabilities and fortify defenses against escalating\r\nthreats to browser security, credential theft, and potential incursions into cryptocurrency wallets. Continuous\r\nvigilance and proactive intelligence sharing are crucial in mitigating the risks posed by Nova and similar emerging\r\nthreats.\r\nAPPENDIX\r\nIOCs\r\nNo. Indicator (SHA256) Filename(s)\r\n1 Caad50dec67d247a242d62b30d39ef7e51a9febea387b74a53d405bce73b990c\r\nMOOX92zb72.exe,\r\nObvious.exe\r\n2 846a3dbd8e7f850a5495dca3ded6855434c05643c898929a103007d182f68b78 app-64.7z\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 18 of 21\n\n3 d7709e361a9ec30527514b69b6084606161e35beaeb532ebe339445901549336\r\nWin32snapshot.exe,\r\nUpdate.exe\r\n4 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 elevate.exe\r\nMITRE Mapping\r\nSIGMA RULE\r\ntitle: Detection of Nova Malware Execution\r\nstatus: experimental\r\ndescription: Detects the execution and persistence mechanism of the Nova malware.\r\nauthor: CYFIRMA_RESEARCH\r\ndate: 2023-11-29\r\nlogsource:\r\nproduct: windows\r\nservice: sysmon\r\ncategory: registry\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 19 of 21\n\ndetection:\r\nselection:\r\nImage:\r\n– ‘*\\win32snapshot.exe’\r\n– ‘*\\Update.exe’\r\n– ‘*\\7za.exe’ # Assuming 7-Zip executable name, adjust if needed\r\ncondition: selection and (RegistryKey ==\r\n‘HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT\\Certificates’)\r\nfalsepositives:\r\n– Legitimate changes to the specified registry key.\r\nlevel: high\r\nRECOMMENDATIONS\r\nStrategic Recommendations:\r\nImplement Defense-in-Depth Strategy: Develop a comprehensive defense strategy that combines network\r\nsegmentation, robust perimeter defenses, and endpoint security to create multiple layers of protection against such\r\nthreats.\r\nInvest in Threat Intelligence: Engage with threat intelligence services to stay informed about the evolving\r\ntactics, techniques, and procedures employed by MaaS operators. Regularly update defenses based on the latest\r\nthreat intelligence to enhance proactive detection capabilities.\r\nEnhance Employee Training: Conduct regular cybersecurity training programs to educate employees about\r\nphishing threats, social engineering, and safe browsing practices. Building a security-aware culture can\r\nsignificantly reduce the likelihood of successful infostealer infections.\r\nTactical Recommendations:\r\nUpdate and Patch Systems: Regularly update and patch operating systems, software, and applications to address\r\nvulnerabilities that malware like Nova exploits. Automated patch management tools can streamline this process\r\nand minimize the attack surface.\r\nUtilize Advanced Endpoint Protection: Deploy advanced endpoint protection solutions that incorporate\r\nbehavioral analysis, heuristic detection, and threat intelligence to identify and mitigate the specific techniques\r\nemployed by Nova. Ensure these solutions are regularly updated with the latest detection rules such as the one\r\ngiven in the report.\r\nImplement Application Whitelisting: Restrict the execution of unauthorized applications by implementing\r\napplication whitelisting. This helps prevent the execution of unknown or malicious binaries, hindering Nova’s\r\nability to run on endpoints.\r\nManagement Recommendations:\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 20 of 21\n\nDevelop an Incident Response Plan: Establish a robust incident response plan that outlines clear procedures for\r\nidentifying, containing, eradicating, and recovering from a Nova infection. Regularly test and update the plan to\r\nensure effectiveness.\r\nConduct Regular Security Audits: Perform periodic security audits to assess the effectiveness of existing\r\nsecurity controls, identify potential weaknesses, and validate the organization’s overall security posture. Use the\r\nfindings to make informed adjustments and improvements.\r\nCollaborate with Industry Peers: Engage in information sharing and collaboration with industry peers,\r\ncybersecurity communities, and relevant authorities. Sharing threat intelligence and best practices can enhance\r\ncollective resilience against emerging threats like Nova.\r\nSource: https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nhttps://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyfirma.com/outofband/emerging-maas-operator-sordeal-releases-nova-infostealer/"
	],
	"report_names": [
		"emerging-maas-operator-sordeal-releases-nova-infostealer"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434708,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c347dc457bbb69bb3f296c4a72f70325936d902.pdf",
		"text": "https://archive.orkl.eu/0c347dc457bbb69bb3f296c4a72f70325936d902.txt",
		"img": "https://archive.orkl.eu/0c347dc457bbb69bb3f296c4a72f70325936d902.jpg"
	}
}