Beyond the Leak Blog: Investigating Nova’s Affiliate Network, Infrastructure, and Operations

Ransomware groups often leave behind more than victim names. Hidden behind leak sites and extortion notices is an ecosystem of infrastructure, communication channels, and services that keep the operation running long after a victim is posted online.

This investigation began while monitoring newly indexed ransomware activity through StealthMole. A recent victim listing attributed to NOVA drew attention to a group that, despite claiming more than a hundred victims, had received relatively little attention compared to many of its peers. Initial examination suggested NOVA was not an entirely new operation. Traces of an earlier identity appeared to remain scattered across the dark web, raising questions about how the group had evolved and what its infrastructure looked like behind the scenes.

Following those traces on StealthMole led far beyond the group's public leak site. What started as an effort to understand a ransomware operation gradually revealed a much broader network of interconnected services, recruitment activity, communication channels, and operational resources. Piece by piece, these discoveries provided a rare opportunity to examine how NOVA presents itself to affiliates, maintains its presence across underground communities, and supports the operation from within.

Incident Trigger and Initial Investigation

The investigation began on 2 June 2026 during routine monitoring of StealthMole's Ransomware Monitoring module. A newly indexed victim entry attributed to NOVA was identified on the group's dark web leak site. The listing named a France-based company operating in the rubber and plastics sector.

At first glance, the incident appeared to be a typical ransomware disclosure. However, further examination of the listing revealed that it was published through an active NOVA leak portal hosted at:

• nova*******************************************zyyd.onion

To better understand the scale of the operation behind the claim, the NOVA identifier was investigated through StealthMole's Ransomware Monitoring module. The results showed that the group had been associated with 122 victim listings between March 2025 and June 2026, indicating that this latest incident was part of a much broader campaign rather than an isolated event.

Additional analysis through StealthMole's Government Monitoring module identified six government-related victim listings between May 2025 and May 2026. The affected entities included organizations such as Badan Pangan Nasional, SECONT Secretaria de Controle e Transparência, and Pemerintah Kabupaten Bojonegoro, demonstrating that the group's targeting extended beyond private-sector organizations.

The volume of observed victims, combined with the presence of dedicated dark web infrastructure, suggested that NOVA was operating a mature ransomware ecosystem. This prompted a deeper investigation into the infrastructure, services, and operational resources supporting the group.

Tracing NOVA's Infrastructure

To better understand the operation behind the growing number of victim disclosures, the investigation shifted from victim monitoring to infrastructure analysis. Using StealthMole's Darkweb Tracker, the NOVA leak site was used as a starting point to identify related services and historical infrastructure.

• Nova********************************************zyyd.onion

The initial search uncovered several additional onion services associated with NOVA. While some of these domains remained active, others appeared to have been retired or replaced over time, suggesting that the group routinely maintained and rotated portions of its infrastructure.

• novamojnnc7n7brrnflr7evyrho2e5ynskicrjxuvhn5r6jjlxyjj4ad.onion
• rhhoh6nrrv25ks3adu3lgv3amkarj5xr2vrgau6bngeoa4dfusypaoqd.onion
• dcwrvp2r3omemjirpwlvaaunbkfebf46cw6mmeoh2mzpvo7k2fdkatid.onion
• novaf***********************************************nqid.onion
• pifk3**********************************************pdnyd.onion
• novak**********************************************tatqd.onion
• logom**********************************************sajid.onion

Several of these domains appeared to serve dedicated operational functions. For example, nova***************tatqd.onion was identified as NOVA's "Department of Support", while pifk3*************dnyd.onion was associated with "Nova Clouds". Another domain, novaf**********************nqid.onion, hosted an "AI-Assist Agent" portal.

The presence of these services suggested that NOVA maintained infrastructure beyond a traditional leak site and raised questions about how the operation supported affiliates and managed day-to-day activities.

Inside NOVA's Affiliate Ecosystem

The discovery of NOVA's support and service infrastructure raised a key question: who were these resources built for?

To answer that question, the investigation shifted toward underground forums where ransomware operators commonly recruit affiliates, advertise services, and manage business relationships. This led to the discovery of multiple NOVA-related recruitment threads across several dark web communities.

One of the earliest findings was a thread titled "Nova 2.0 (Premium Program) | Katana Version | Ransomware as a Service" posted by the user ForLord on Darknet Army (DNA Forums). The advertisement described NOVA as a ransomware-as-a-service operation supporting Windows, Linux, NAS, FreeBSD, ESXi, and ARM-based systems. It also outlined a structured affiliate model in which participants were offered an 80/20 revenue split, increasing to 85/15 after five months and 90/10 after one year. Premium partners were promised a 95/5 split.

• http://darknet*********6yd.onion/threads/nova-2***********7

The thread provided one of the first indications that NOVA was operating as a structured service rather than a standalone ransomware group. Beyond the ransomware payload itself, affiliates were promised access to victim communication systems, support services, management tools, statistics dashboards, cryptocurrency payment management, and additional operational resources.

Further investigation uncovered another thread posted by ForLord titled "APIPN (Access-Provide-Investment-Nova Program)". Unlike traditional affiliate recruitment, this program focused on acquiring access to corporate environments. The advertisement specifically sought Citrix, Fortinet SSL VPN, SonicWall, RDWeb, RDP, SSH, Cisco, and VMware access, indicating that NOVA maintained a dedicated mechanism for sourcing potential intrusion opportunities.

• http://darknet******apipn-access******nova**********36/

The same thread introduced a Session identifier:

• 054f55ec*******************************************529c79

The affiliate ecosystem extended beyond recruitment. NOVA's infrastructure revealed a dedicated ticketing system that allowed users to submit support requests, manage cases, assign priorities, upload files, and communicate with administrators. Additional portals such as "Department of Support", "Nova Clouds", and the "AI-Assist Agent" suggested that NOVA had invested in building supporting services intended to assist affiliates throughout different stages of an operation.

Another notable discovery was NOVA's apparent interest in media engagement. On the RAMP4U forum, a user operating under the NOVA name published a thread seeking journalists and proposing information-sharing arrangements. The post claimed that organizations often concealed cyber incidents from customers and suggested that NOVA was interested in working with media contacts to distribute information about attacks and data leaks.

• https://ramp4u******looking-for-journalists***********3807

Collectively, these findings painted a picture of an operation that functioned less like a conventional ransomware crew and more like a service platform designed to attract, support, and retain affiliates through dedicated infrastructure and operational resources.

Following the Trail to RALord

While reviewing NOVA's recruitment activity, several recurring identifiers began appearing across multiple forum posts. Among them was the Session identifier:

• 054f55e*********************************************529c79

as well as the TOX ID:

• 8E9A619**********************************************51BE6A51F

Both artifacts appeared repeatedly across NOVA-related recruitment threads, affiliate advertisements, and operational discussions. To determine whether these identifiers were linked to additional infrastructure, the TOX ID was investigated through StealthMole's Darkweb Tracker.

The search produced two previously unidentified onion domains:

• ralord3htj7v2dkavss2hjzviviwgsf4anfdnihn5qcjl6eb5if3cuqd.onion
• ralordt7gywtkkkkq2suldao6mpibsb7cpjvdfezpzwgltyj2laiuuid.onion

Unlike the NOVA-branded services discovered earlier, both domains prominently referenced the RALord name. Examination of the portals revealed notices informing visitors that the operation was no longer operating under the RALord brand. One notice stated that the group's business name had been changed to NOVA and directed users toward replacement infrastructure.

The migration notice also referenced several NOVA-branded services, including:

• novav75*********************************************yqyd.onion
• novavag*********************************************7cad.onion
• novavdi*********************************************czqd.onion

The presence of these links suggested that existing victims and affiliates were being redirected from legacy RALord infrastructure to newly established NOVA services.

Further investigation uncovered another NOVA-related domain:

• nova4oxpwwkuah7mayn62kp2sg3venrl3qwmhm3jcan47c22m6l4apad.onion

The service was identified as a login portal titled "Nova Panel | Login", providing additional evidence that the transition involved not only public-facing branding but also operational infrastructure used by the group.

These findings established a direct infrastructure link between RALord and NOVA. Rather than relying solely on external reporting or forum claims, the relationship could be observed through the group's own migration notices, shared infrastructure, and interconnected services discovered during the investigation.

Mapping NOVA's Operational Infrastructure

The discovery of the RALord migration notice raised another question: how extensive was NOVA's infrastructure beyond the domains already identified?

To answer this, additional pivots were performed on NOVA-related infrastructure through StealthMole's Darkweb Tracker. The results revealed a significantly larger ecosystem consisting of dedicated communication portals, management panels, and leak platforms.

Several domains appeared to function as communication portals or negotiation environments:

• chat64z5v4pblqo7qk4jtg2i3ukdyvjjavfyh4jnsftqer4juwnekwid.onion
• novafxmwxv53u3qbfaljahls5yrvpxqckhsh6bjbsj3wgo3fltreyuid.onion
• noval3kb6snxuofmqmw2we3cvzci2tfknurgxi7gdyet55xh6zhno5id.onion
• novaeogps7purkdhxmaymmnanqiwtqf3r3iu3we4khkzwegkoefbxnyd.onion
• vctmkrlntkd4fx2h5rk5lyyg6fzar2u4626gy6ywszgca74utzphkjqd.onion
• novatd4577pzlvdyy42slydhrhru7fpcflbbxlajcmbfrgzyeis6d3id.onion

In parallel, multiple domains were identified as panel infrastructure:

• raaskpzmkcoraswmzotjkzplq3aw6mcbogvd5uzbgsnhqb7az3ax2qid.onion
• novazzitmugtbjwuttc5hhsemkmvwh3iyt27oeeunu5mkw62qpfeykid.onion
• nova25eabfdep76t52dt34n2qdrhrn7vxuaeitcy5x2ovxnut767bwid.onion
• npnlc7i2mxnngj6angcj5pwesbaapksstqqez2qmtgmimezcpo4haryd.onion
• nova5cr2op6uo73korzmzkvil2btj3erjaujwtbbvtpko3yx7ivq3myd.onion

The investigation also identified several domains dedicated to leak publication and public-facing content:

• vctmy3tytuah2offux4bixzunh53pnepsnsrr2hly6blpgiewqodnzad.onion
• leak7y2247fj7dbb35rpfyxuyaqtwbshiwxp6h35ttzlhrxmhvi4fead.onion
• novaoddh3vxylxqpsfdjprliknbzgbkv6nkazpzu3cvykrgpyzuywryd.onion
• novag4k2te3mstt2xq5irywlpaw6edgkpiwgg4t2q7eecisj2qqtvbid.onion
• novaxtychr6ohlc4zr5its73p6i7unpuhpwoodtzrg2y4w4seytatlid.onion
• novad**********************************************uzyyd.onion

Rather than relying on a single portal, NOVA appeared to separate operational functions across multiple services. The infrastructure identified during the investigation suggests a deliberate division between public-facing leak resources, communication environments, and management systems. Such separation can provide operational flexibility, allow individual services to be replaced when necessary, and reduce reliance on any single domain.

The growing number of interconnected domains also reinforced a pattern observed throughout the investigation: NOVA was operating an ecosystem of services rather than a standalone leak site. Each newly discovered portal contributed another piece to a broader infrastructure designed to support the group's ongoing operations.

Identifying Communication and Financial Infrastructure

As the investigation expanded across recruitment posts, affiliate resources, and infrastructure portals, several recurring identifiers emerged that helped connect different parts of the NOVA ecosystem.

Among the most frequently observed artifacts was the Session identifier:

• 054f55********************************************29f9529c79

The identifier appeared across multiple NOVA-related recruitment posts and operational resources, making it one of the most consistent artifacts identified during the investigation.

Another recurring communication artifact was the TOX ID:

• 8E9A619********************************************1F

The identifier appeared in both recruitment and infrastructure-related discoveries and ultimately served as a pivot point leading to legacy RALord infrastructure.

Additional communication artifacts included two PGP key fingerprints associated with NOVA-branded identities:

• 59742**************************220

Associated email:

• no***********1@onionmail.org

and

• 27AC**************************A5A

Associated email:

• nova@ra********.onion

The repeated appearance of these communication channels across NOVA-related resources suggests that they were intended to facilitate interaction between the operation and its affiliates, partners, or victims.

The investigation also identified cryptocurrency payment addresses advertised within NOVA infrastructure.

Bitcoin:

• 1D1T********************ehY

The wallet was identified through NOVA infrastructure and subsequently investigated using StealthMole's Crypto Tracker.

StealthMole associated the address with a FixFloat user wallet, revealing a transaction path involving:

• bc1qn************************qfw

Further examination of blockchain activity showed that the wallet received and sent approximately 0.0207 BTC between June and July 2025. Transaction activity consisted of multiple small deposits and withdrawals rather than a single large transfer, suggesting routine operational use rather than long-term storage. At the time of analysis, the wallet maintained a negligible remaining balance, indicating that funds were regularly moved out after receipt.

Ethereum:

• 0x7d8***********************5e26

StealthMole's Crypto Tracker identified transactional relationships between the address and infrastructure associated with Kraken Exchange.

Blockchain analysis revealed a single inbound transaction of:

• 0.000185229575715313 ETH

originating from:

• 0xD028******************************DAf

The wallet contained no significant accumulated balance and showed limited observable activity. While the transaction volume was minimal, the association with exchange-linked infrastructure provided an additional data point connecting NOVA-related payment infrastructure to external cryptocurrency services.

Monero:

• 45E8RxB*********************************************FbuMh

While these observations do not establish ownership of exchange accounts, they demonstrate that the identified wallets were active and interacting with external cryptocurrency services.

Overall, these artifacts provided another layer of visibility into NOVA's operations. Beyond domains and recruitment activity, the investigation uncovered a collection of communication channels and financial identifiers that repeatedly surfaced throughout the group's infrastructure and affiliate ecosystem.

Conclusion

What began with a single victim listing ultimately revealed a much broader ransomware ecosystem operating behind the NOVA name. Through a combination of ransomware monitoring, infrastructure analysis, dark web tracking, and cryptocurrency investigation, it was possible to move beyond public victim disclosures and examine the operation from the inside out.

The investigation identified an operation that had accumulated more than one hundred victim listings while maintaining a diverse collection of supporting infrastructure. Dedicated leak portals, communication services, management panels, support resources, cryptocurrency payment channels, and affiliate-facing services all pointed toward an organized ransomware-as-a-service model rather than an isolated threat actor.

Analysis of historical infrastructure further revealed a direct connection between NOVA and the earlier RALord branding. Migration notices discovered on legacy onion services provided evidence of a transition between the two identities and offered insight into how the operation evolved over time.

Perhaps most notably, the investigation exposed elements of NOVA's affiliate ecosystem that are rarely visible through victim disclosures alone. Recruitment campaigns, access acquisition initiatives, support resources, and operational tooling demonstrated how the group sought to attract and retain participants while expanding its reach across underground communities.

These findings show that NOVA's presence extends well beyond its public leak site. The operation appears to function as a structured ecosystem supported by dedicated infrastructure, communication channels, and affiliate services that enable its continued activity across the ransomware landscape.

Editorial Note

Investigations involving ransomware groups are rarely straightforward. Infrastructure changes, rebranding efforts, and fragmented digital footprints often make it difficult to understand how an operation truly functions behind the scenes.

This case highlights how StealthMole's ability to connect data across ransomware monitoring, dark web infrastructure, underground forums, and cryptocurrency activity can help uncover relationships that may otherwise remain hidden, while recognizing that attribution and assessment are always subject to the limits of the available evidence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com