DOMOAuth2_
DOMOAuth2_ is a malicious NuGet package used in a software supply-chain campaign targeting ASP.NET web application developers. It was one of four related packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—published between August 12 and 21, 2024 by the NuGet account "hamzazaheer," and the set accumulated more than 4,500 downloads before removal. The campaign’s objective was to compromise applications built with the tainted dependencies rather than directly compromise developer workstations.
DOMOAuth2_ is designed to exfiltrate ASP.NET Identity and authorization data, including user accounts, role assignments, and permission mappings. It registers an internal OAuth service via an IServiceCollection extension method named AddOAuth and sends HTTP POST requests to hardcoded localhost endpoints at https://localhost:7152/api/auth/, including get-permissions, get-role-permissions, update-role-permissions, and update-user-permissions. The package communicates through a localhost proxy established by the companion package NCryptYo on 127.0.0.1:7152; NCryptYo acts as an obfuscated stage-1 dropper that executes on assembly load, installs JIT hooks, decrypts embedded payloads, and deploys a stage-2 component that relays traffic to an attacker-controlled C2 whose address is dynamically resolved at runtime.
DOMOAuth2_ includes a hardcoded attacker authentication token used by default if the caller does not provide an API key, and its AuthKey is marked with [JsonIgnore] so the credential is sent in headers rather than JSON bodies. It also uses a custom encoding routine that GZip-compresses data, prepends a 4-byte length, Base64-encodes it, and substitutes characters. C2 responses are returned through a dynamic Message.Data field, allowing attacker-controlled authorization rules to be injected into the victim application. Reported backdoor effects include granting admin roles, modifying access controls, and disabling security checks, enabling persistent access in deployed production applications while continuing to exfiltrate permission data.
The campaign showed signs of common authorship across the four packages, including shared build metadata and embedded credentials. DOMOAuth2_ and the related packages were reported by Socket Threat Research Team and later taken down from NuGet following responsible disclosure.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"DOMOAuth2_ ... exfiltrate ASP.NET Identity data (user accounts, role assignments, permission mappings) and accept threat actor-controlled authorization rules that create persistent backdoors in victim applications."
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
"Four malicious NuGet packages have been discovered targeting ASP.NET web application developers... The packages... were published to the NuGet repository... These packages aimed to compromise applications during the development phase, allowing attackers to gain access to deployed production environments"
Persistence
1 technique
Persistence
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
1 technique
Exfiltration
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious NuGet package that exfiltrates ASP.NET Identity data (accounts/roles/permissions) via a local proxy and processes C2-supplied authorization rules to create a persistent backdoor in victim-built ASP.NET applications (e.g., granting admin roles, modifying access controls, disabling security checks).
Malicious NuGet package that integrates into ASP.NET apps via dependency injection and exfiltrates ASP.NET Identity authorization data (users/roles/permissions) to a local proxy (localhost:7152) that relays to external C2. It also enables attacker-controlled authorization responses (dynamic Message.Data) to inject/modify permissions at runtime, effectively backdooring the app’s access control model.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.