{
	"id": "e18353ec-4b96-4c44-a3e8-0adce0b3ebea",
	"created_at": "2026-04-06T00:14:13.334317Z",
	"updated_at": "2026-04-10T13:12:02.460919Z",
	"deleted_at": null,
	"sha1_hash": "e0eada835971475398de1188499dee3741541bd1",
	"title": "Ntospy (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29423,
	"plain_text": "Ntospy (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:57:17 UTC\r\nNtospy is a credential stealer leveraging a well-established technique of abusing the Windows Network Provider\r\ninterface, a method documented as early as 2004 and exemplified by tools like NPPSpy. Posing as a legitimate\r\nNetwork Provider DLL, Ntospy injects itself into the Windows authentication process, hijacking login attempts to\r\nharvest user credentials. It achieves this by registering a malicious Network Provider, typically named \"credman,\"\r\nwhich intercepts authentication requests and redirects them to it malicious DLL.\r\nInstead of immediately exfiltrating the stolen data, Ntospy employs a form of local storage, writing the captured\r\ncredentials in cleartext to files disguised as harmless Microsoft Update packages using the .msu file extension.\r\nThese files are often planted in system directories with believable names like \"c:/programdata/package\r\ncache/windows10.0-kb5009543-x64.msu,\" further masking their malicious purpose.\r\nAdding to its stealth, Ntospy incorporates obfuscation techniques to evade detection. This includes using\r\nseemingly innocuous filenames for its DLL, often mimicking critical system files like \"ntoskrnl.dll\" to blend in.\r\nSome variants even go a step further by encrypting the credential storage file path within the DLL, requiring\r\nanalysis and decryption to uncover its full functionality.\r\n[TLP:WHITE] win_ntospy_auto (20251219 | Detects win.ntospy.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.ntospy\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ntospy\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.ntospy"
	],
	"report_names": [
		"win.ntospy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e0eada835971475398de1188499dee3741541bd1.pdf",
		"text": "https://archive.orkl.eu/e0eada835971475398de1188499dee3741541bd1.txt",
		"img": "https://archive.orkl.eu/e0eada835971475398de1188499dee3741541bd1.jpg"
	}
}