NPPSPY
NPPSPY is a credential-stealing tool that abuses the Windows Network Provider mechanism to capture cleartext logon credentials. It modifies the Windows Registry to register a malicious Network Provider/listener so that authentication-related traffic from the Winlogon process is redirected from legitimate listening DLLs to the attacker-controlled component. This allows NPPSPY to capture user input and record logon information in cleartext, typically writing the collected credentials to a specified file on the victim machine. The technique is described as stealing cleartext credentials by abusing Network Providers, and a 2020 implementation under the name NPPSpy was uploaded to GitHub by researcher Grzegorz Tworek. Supporting reporting also associates NPPSPY with intrusion activity and broader toolkits, including Check Point reporting that GoldenSMTP/IndigoZebra-related intrusions used the NPPSPY credential stealer, and an NGO ransomware case in which attackers registered a malicious DLL as the provider "credman" to capture Exchange OWA/ECP authentication credentials, gain domain admin access, and laterally move via RDP. High-confidence behavioral indicators mentioned in the content include Registry modification to add the malicious Network Provider, redirection of Winlogon/RPC traffic, and credential output written to local files in cleartext.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
2 techniques
Persistence
Stealth
1 technique
Stealth
Defense Impairment
2 techniques
Defense Impairment
Credential Access
3 techniques
Credential Access
The content references collection of credential material from local systems, including "Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies," "GALLIUM collected ... password hashes from the SAM hive in the Registry," and "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors."
Collection
3 techniques
Collection
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.
Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential theft tool referenced in the context of Atomic Red Team-style testing for OS credential dumping detections.
Credential-stealing malware used to harvest credentials during intrusions.
Credential-stealing tool used as part of the GoldenSMTP/IndigoZebra-related toolkit.
NPPSPY is a credential stealing technique and tool that abuses Windows Network Providers to capture cleartext credentials during authentication, including those via OWA/ECP on Exchange servers. Attackers use a malicious DLL registered as a network provider to intercept and record credentials.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.