A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing credentials, capturing keystrokes, taking screenshots, and extracting clipboard data. The malware gains persistence through Windows Task Scheduler and injects itself into a spawned child process. Data exfiltration is performed via SMTP. The campaign highlights the growing threat of stealers and the potential for harvested data to be used in future targeted attacks.