{
  "name": "Blast from the Past",
  "slug": "blast-from-the-past",
  "description": "A large-scale campaign targeting Russian organizations across various industries has been detected. The attackers are using NOVA stealer, a commercial fork of SnakeLogger, distributed via phishing emails disguised as contract archives. NOVA, marketed as Malware-as-a-Service, is capable of stealing credentials, capturing keystrokes, taking screenshots, and extracting clipboard data. The malware gains persistence through Windows Task Scheduler and injects itself into a spawned child process. Data exfiltration is performed via SMTP. The campaign highlights the growing threat of stealers and the potential for harvested data to be used in future targeted attacks.",
  "published": "2025-02-05T01:45:07+00:00",
  "created_at": "2025-02-05T01:45:07+00:00",
  "modified_at": "2025-02-05T10:17:43+00:00",
  "created_at_opencti": "2025-02-05T01:45:07+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-05",
    "credential-theft",
    "data exfiltration",
    "maas",
    "nova",
    "organizations",
    "persistence",
    "phishing",
    "russian",
    "snakelogger",
    "stealer"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "8004a9c84332b68b0a613a5de9dcf639e415feb14b3da926e164375f3c5a3609"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:61b33800bfb71a1d",
        "name": "SUPERNOVA - S0578",
        "slug": "supernova-s0578"
      },
      {
        "id": "legacy:malware:cba5be4a5a8ce143",
        "name": "SnakeLogger",
        "slug": "snakelogger"
      }
    ],
    "attack_patterns": [
      {
        "id": "b55f705d-087e-4929-96da-a925e5f186fc",
        "name": "T1564.004"
      },
      {
        "id": "741a926d-4157-412c-9296-f701c8dbd56d",
        "name": "T1027.003"
      },
      {
        "id": "5e6e1a36-257a-44cf-91f7-e35961f1e12a",
        "name": "T1071.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "f4a450ef-8297-42e5-9e47-01162138baa2",
        "name": "T1115"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Russian Federation"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/67a2d0b3a1f8de6186f2349d"
  ]
}