SimpleWriter_
SimpleWriter_ is a malicious NuGet package used in a software supply-chain campaign targeting ASP.NET web application developers. Published in August 2024 by the account "hamzazaheer" as one of four related packages alongside NCryptYo, DOMOAuth2_, and IRAOAuth2.0, it accumulated part of the campaign’s roughly 4,500 downloads before takedown. It presents itself as a PDF conversion utility, but analysis shows it provides unconditional file-writing capability and hidden process execution. The package registers via dependency injection using AddWriterService to add ISimpleWriter/SimpleWriterService, beacons to https://localhost:7152/api/auth/ValidateWriterPermsAuthCheckProcessHandlerVerify, suppresses HttpRequestException, and discards the response. It executes ExternalLib\Windows\wkhtmltopdf.exe with CreateNoWindow=true while redirecting stdout and stderr; reporting indicates this binary is expected to be dropped by the companion package NCryptYo. The broader campaign was designed to compromise applications built with the malicious dependencies rather than directly targeting developer workstations. NCryptYo acts as an obfuscated stage-1 dropper that installs JIT hooks, decrypts embedded payloads, and deploys a localhost proxy on 127.0.0.1:7152, while DOMOAuth2_ and IRAOAuth2.0 exfiltrate ASP.NET Identity data such as user accounts, role assignments, and permission mappings through that proxy to attacker-controlled C2 infrastructure. The C2 can return authorization rules that enable persistent backdoors in deployed applications, including granting admin roles, modifying access controls, or disabling security checks. Analysis cited identical build environments, shared embedded credentials, and metadata artifacts across the packages, indicating common authorship by a single threat actor.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"SimpleWriter_ adds unconditional file writing and hidden process execution to the toolkit."
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
"Four malicious NuGet packages have been discovered targeting ASP.NET web application developers... The packages... were published to the NuGet repository... These packages aimed to compromise applications during the development phase, allowing attackers to gain access to deployed production environments"
Stealth
1 technique
Stealth
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious NuGet package masquerading as a PDF conversion utility; writes attacker-controlled content to disk and executes a dropped binary with hidden windows (hidden process execution).
Malicious NuGet package masquerading as a PDF conversion utility. It beacons to the local proxy/C2 endpoint, unconditionally writes attacker-controlled content to disk, and executes a local binary (wkhtmltopdf.exe) with hidden window settings (CreateNoWindow=true), enabling stealthy execution and file-drop behavior even if C2 is unreachable.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.