{ "id": "90ac112f-0043-4287-9156-6f6e1b6890e1", "created_at": "2026-04-06T00:11:57.803899Z", "updated_at": "2026-04-10T13:11:23.578798Z", "deleted_at": null, "sha1_hash": "65bb7c2a36d6733f6af621f715bb39c7026be1a4", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49479, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:26:11 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Ntospy\n Tool: Ntospy\nNames Ntospy\nCategory Malware\nType Credential stealer\nDescription\n(Palo Alto) To perform credential theft, the threat actor used a custom DLL module\nimplementing a Network Provider. A Network Provider module is a DLL component\nimplementing the interface provided by Microsoft to support additional types of network\nprotocols during the authentication process.\nThis technique is pretty well documented. Sergey Polak demonstrated the technique at\nBlackHat back in 2004 at his session titled “Capturing Windows Passwords using the Network\nProvider API.” In 2020, researcher Grzegorz Tworek uploaded his tool NPPSpy to GitHub,\nwhich also implements this technique.\nDue to the file naming patterns of the DLL module, and as a reference to the previous research\nand tools, Unit 42 researchers named this malware family Ntospy. The threat actor registers the\nNtospy DLL module as a Network Provider module to hijack the authentication process, to get\naccess to the user credentials every time the victim attempts to authenticate to the system.\nInformation Malpedia Last change to this tool card: 27 December 2024\nDownload this tool card in JSON format\nAll groups using tool Ntospy\nChanged Name Country Observed\nAPT groups\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=674fc53a-c338-4d1f-af34-bd8379acfc2c\nPage 1 of 2\n\nOperation Diplomatic Specter 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=674fc53a-c338-4d1f-af34-bd8379acfc2c\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=674fc53a-c338-4d1f-af34-bd8379acfc2c\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=674fc53a-c338-4d1f-af34-bd8379acfc2c" ], "report_names": [ "listgroups.cgi?u=674fc53a-c338-4d1f-af34-bd8379acfc2c" ], "threat_actors": [ { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434317, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/65bb7c2a36d6733f6af621f715bb39c7026be1a4.pdf", "text": "https://archive.orkl.eu/65bb7c2a36d6733f6af621f715bb39c7026be1a4.txt", "img": "https://archive.orkl.eu/65bb7c2a36d6733f6af621f715bb39c7026be1a4.jpg" } }