Multiple Russian cybersecurity firms have published research reports on emerging threats, including a large-scale information-stealing campaign targeting local organisations using the Nova malware.

According to a report from Moscow-based BI.ZONE, Nova is a commercial malware sold as a service on dark web marketplaces. Prices range from$50 for a monthly license to$630 for a lifetime license. Nova is a variant of SnakeLogger, a widely used malware known for stealing sensitive information.

While the developers of Nova remain unidentified, the code contains strings in Polish, and a Telegram group dedicated to promoting and supporting the malware was created in August 2024. The scale of the campaign and the full extent of its impact on Russian organisations remain unclear.

The BI.ZONE report comes at a time when Russian entities have been under increasing cyberattacks, many of which are suspected to be politically motivated and linked to state-sponsored groups.

Over the weekend, F.A.C.C.T. reported a cyberespionage campaign targeting chemical, food, and pharmaceutical companies in Russia, attributing the attacks to a state-backed group named Rezet (or Rare Wolf). Meanwhile, Solar reported an attack on Russian industrial facilities by the newly identified group APT NGC4020, which exploited a vulnerability in a SolarWinds tool.

The Nova malware collects a wide range of data, including saved authentication credentials, keystrokes, screenshots, and clipboard content. This stolen data can be used in a variety of malicious activities, such as facilitating ransomware attacks. The malware is distributed through phishing emails, often disguised as contracts, to trick employees in organisations that handle high volumes of email correspondence.