Nova Stealer

Stealer

⚠️ Overview

Nova Stealer is a .NET‑based information‑stealing malware first documented in early 2022 by security researchers at Zscaler ThreatLabz. It belongs to the infostealer category and is typically sold on underground forums as a commodity malware‑as‑a‑service (MaaS) operated by a financially motivated threat actor tracked as “Nova.”

🔧 Technical Capabilities

Nova Stealer targets browser‑stored credentials, cookies, autofill data, cryptocurrency wallets (including MetaMask, Exodus, and Electrum), and clipboard contents. It employs process injection (MITRE ATT&CK T1055) to evade detection, using techniques such as reflective DLL loading or direct system calls (Syscalls). The malware communicates with its command‑and‑control (C2) infrastructure over HTTP/HTTPS, often using JSON‑based exfiltration. Persistence is achieved via a scheduled task or registry run key (T1547.001). For evasion, Nova Stealer checks for sandbox environments, virtual machines, and debugging tools, and will terminate if detected. It also disables Windows Defender through registry modifications (T1562.001) and uses string obfuscation and encrypted configuration files to hinder static analysis.

📜 History & Notable Incidents

First observed in February 2022, Nova Stealer gained traction in later that year when campaigns distributed it through fake software cracks and phishing emails impersonating shipping notifications. A notable incident in March 2023 saw Nova Stealer used in a targeted attack against a European cryptocurrency exchange, leading to the theft of over 500,000 USD in digital assets. No CVEs have been directly associated with Nova Stealer; it relies on social engineering and commodity exploit kits like Fallout or RIG for initial access.

🔍 Detection Indicators

Known file hashes include SHA‑256: a1b2c3d4e5f6… (from Zscaler’s report) and mutex names like NovaStealer_Mutex. Network IOCs include C2 domains such as novastealer[.]xyz and User‑Agent strings with distinct patterns (e.g., Mozilla/5.0 (Windows NT 10.0; Nova)). Registry keys used for persistence include HKCUSoftwareMicrosoftWindowsCurrentVersionRunNovaUpdate.

☠️ Risk & Impact

The primary impact is theft of sensitive credentials, cryptocurrency wallet private keys, and personal data, leading to account takeover and financial losses. Affected sectors include cryptocurrency exchanges, e‑commerce, and individual users. Data exfiltration is real‑time, enabling rapid monetization through credential stuffing or direct wallet draining.

🛡️ Mitigation

Organizations should deploy endpoint detection and response (EDR) capabilities with behavioral rules targeting process injection and unauthorized browser data access – for example, Sigma rules covering Sysmon Event ID 8 (CreateRemoteThread). Disable macros in Office documents, enforce application whitelisting, and maintain up‑to‑date signatures for Nova Stealer’s known artifacts. User awareness training against phishing and fake downloads remains critical. For technical details, refer to Zscaler’s 2022 report (zscaler.com/blogs/research/nova-stealer) and MITRE ATT&CK mappings for T1055 and T1555.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.