New year, new stealer: January starts with a large‑scale campaign targeting Russian companies

Adversaries employ NOVA stealer, a modified variant of SnakeLogger. The extracted credentials can be used by any cluster for targeted attacks against the compromised companies

February 4, 2025

In January 2025, the BI.ZONE team recorded multiple attacks targeting Russian organizations across various industries, including finance, retail, IT, government, transportation, and logistics.

The threat actors have employed NOVA stealer, a commercial modification of SnakeLogger, to retrieve credentials, which are subsequently sold on underground websites.

Attackers often make copies of well‑known malware and configure it to get around even the most advanced security solutions. It’s the same with SnakeLogger, which is used in 23% of stealer attacks and has been modified into the NOVA fork. The new malware is a bit different from the previous iteration. The optimized code and revised architecture make NOVA harder to detect using conventional security tools.

Our research shows that 35% of this year’s most severe cybersecurity incidents in Russian organizations stem from unsafe password policies for administrative accounts.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

The stealer is disguised as a contract archive and distributed via phishing emails. The attackers generally employ double file extensions and familiar icons, such as those of Word or PDF files. As a result, victims may not realize that the file they open is, in fact, an executable.

The NOVA attachment, however, is not disguised with anything more than a plausible file name, such as Договор.exe. Instead of sophisticated masquerading techniques, threat actors rely on mass mailings and less attentive employees who routinely manage high volumes of emails.

Once unpacked and injected into a system, the stealer retrieves saved credentials, captures keystrokes, takes screenshots, and extracts clipboard data.

The NOVA stealer has been marketed on Telegram since August 2024, priced at $50 for a 30‑day license or $630 for a lifetime license. The developer also offers a cryptor designed to prevent malware detection, with its price ranging from $60 for a 30‑day license up to $150 for a 90‑day license.

Cyber threat intelligence portals can be leveraged to monitor compromised corporate accounts on underground websites. For instance, the BI.ZONE Threat Intelligence portal can provide data on compromised accounts by a specific email address, an email domain, or a particular URL.