NOVA Stealer Attacks Russian Companies

In January 2025, BI.ZONE experts recorded numerous cyberattacks targeting Russian organizations across various sectors, including finance, retail, IT, government, transportation, and logistics. The attackers are stealing authentication data to sell it on underground forums. These attacks use the NOVA stealer—a modified version of the popular SnakeLogger malware.

Attack Methods and Distribution

Researchers report that cybercriminals distribute the stealer via phishing emails disguised as archives containing contracts. Typically, these emails use double file extensions and familiar icons, such as Word or PDF, to trick users into thinking the file is safe. This helps conceal the fact that the file is actually an executable.

However, in the case of NOVA, hackers do not try to disguise the attachment as a legitimate document. They simply give the file a plausible name (like “Contract.exe”), relying more on mass distribution and the inattention of employees who regularly handle large volumes of emails, rather than on sophisticated phishing techniques.

How NOVA Stealer Works

Once unpacked and installed on a system, the stealer collects saved authentication data, logs keystrokes, takes screenshots, and extracts data from the clipboard. In the sample analyzed by experts, the exfiltration of stolen data was carried out via SMTP.

NOVA Extracts Data from Mozilla Firefox

After launch, the malicious file decrypts data hidden using steganography from resources named “zabawa2.” It then copies itself under a different name to the AppData\Roaming directory and uses PowerShell to add itself to Microsoft Defender’s exclusion list.

To maintain persistence on the compromised system, the malware uses the Windows Task Scheduler.

Background and Pricing

NOVA is a fork of another stealer, SnakeLogger, and appeared for sale on Telegram in August 2024, distributed under a malware-as-a-service model. The price is $50 per month or $630 for a lifetime license. The developer also offers a cryptor to protect the malware from detection, starting at $60 per month and up to $150 for three months of use.

Expert Commentary

“Attackers often create copies of well-known malware and change its characteristics to bypass modern security tools. This is what happened with the popular SnakeLogger, which is used in 23% of stealer attacks. Cybercriminals modified it and created the NOVA fork. The new tool differs from its predecessor: thanks to code optimization and updated architecture, NOVA is harder to detect with traditional security solutions,” commented Oleg Skulkin, Head of BI.ZONE Threat Intelligence.