Ntospy

Ntospy is a custom credential-stealing malware module reported by Palo Alto Networks Unit 42 and used by the PRC-aligned espionage actor Phantom Taurus. It is described as a Network Provider DLL designed to hijack Windows authentication and capture user credentials when users authenticate. In observed intrusions, attackers installed Ntospy via C:\Windows\Temp\install.bat and reg.exe, registering a Network Provider named "credman." The malware used masquerading DLL paths including c:\windows\system32\ntoskrnl.dll, as well as temporary paths such as C:\Windows\Temp\ntoskrnl.dll and C:\Windows\Temp\ntos.dll. Captured credentials were stored in cleartext in files disguised as Microsoft update packages with .msu extensions, including c:/programdata/microsoft/~ntuserdata.msu and multiple package-cache-style .msu paths. Unit 42 linked some samples through RichPE header hashes indicating compilation in Visual Studio 2019 v16.0.0 build 27508, and identified one overlapping sample with SHA-256 bcd2bdea2bfecd09e258b8777e3825c4a1d98af220e7b045ee7b6c30bf19d6df. Ntospy was observed in related nation-state intrusion clusters including CL-STA-0002 and CL-STA-0043, and is also listed among the customized tools used by Phantom Taurus alongside the Specter malware family and NET-STAR. Associated activity targeted organizations in the Middle East, Africa, the U.S., and, in Phantom Taurus reporting, government and telecommunications organizations across Africa, the Middle East, and Asia, with espionage objectives focused on credential theft and broader intelligence collection.