Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

NCryptYo

NCryptYo is a malicious NuGet package and heavily obfuscated stage-1 dropper used in a software supply-chain campaign targeting ASP.NET developers. It was published to NuGet in August 2024 by the account "hamzazaheer" as part of a four-package cluster consisting of NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, which accumulated more than 4,500 downloads before removal. NCryptYo masquerades as a cryptography library by typosquatting the legitimate NCrypto package, using the namespace "NCrypt" and an assembly filename "NCrypt.dll" that mimics the Windows CNG provider path. It executes on assembly load via a static constructor, installs JIT compiler hooks, decrypts embedded payloads at runtime, and deploys a stage-2 component that establishes a localhost proxy on 127.0.0.1:7152. That proxy relays traffic from the companion packages to an attacker-controlled C2 server whose address is dynamically retrieved at runtime. The broader campaign is designed to exfiltrate ASP.NET Identity data, including user accounts, role assignments, and permission mappings, and to manipulate authorization rules returned by the C2 to create persistent backdoors in deployed applications. Reported backdoor effects include granting admin roles, modifying access controls, and disabling security checks. The companion packages communicate with hardcoded https://localhost:7152/api/auth/ endpoints through the NCryptYo proxy; DOMOAuth2_ and IRAOAuth2.0 exfiltrate authorization data, while SimpleWriter_ presents as a PDF utility but provides unconditional file-write capability and hidden process execution, including execution of ExternalLib\Windows\wkhtmltopdf.exe expected to be dropped by NCryptYo. Reported indicators and artifacts include localhost:7152, the ProjectId 06062730-b307-48a6-a7c3-140e6bae4587 embedded across companion packages, and shared package metadata and build artifacts suggesting common authorship. Researchers assessed the likely objective was compromise of applications built with the tainted dependencies so that malicious C2-driven authorization manipulation and data exfiltration persist in production deployments.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
hamzazaheer

"The campaign deploys a multi-stage payload where NCryptYo acts as a stage-1 dropper that establishes a local proxy on localhost:7152"

via socket blogsocket.dev
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1195.001Compromise Software Dependencies and Development ToolsEvidence2

“A supply chain attack targeting ASP.NET developers… involving four malicious NuGet packages… NCryptYo… typosquatting the widely used NCrypto package.”

T1195.002Compromise Software Supply ChainEvidence1

"Socket's Threat Research Team discovered a NuGet supply chain attack involving four malicious packages... The lead package NCryptYo masquerades as a cryptography library through deliberate typosquatting of the legitimate NCrypto package."

Privilege Escalation

1 technique
T1055Process InjectionEvidence1

"Static analysis confirms... VirtualAlloc + WriteProcessMemory + OpenProcess for process injection."

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence2

“The DLL is protected by .NET Reactor obfuscation… Five encrypted resources are embedded inside”

T1036.005Match Legitimate Resource Name or LocationEvidence1

"NCryptYo masquerades as a cryptography library through deliberate typosquatting... the DLL filename NCrypt.dll mimics Windows' CNG cryptography provider at C:\\Windows\\System32\\NCrypt.dll, and the namespace NCrypt matches Microsoft's cryptography APIs."

T1055Process InjectionEvidence1

"Static analysis confirms... VirtualAlloc + WriteProcessMemory + OpenProcess for process injection."

T1140Deobfuscate/Decode Files or InformationEvidence1

"Every stub method... passes through the modified JIT where encrypted method bodies are decrypted and compiled... Five encrypted resources are embedded in the assembly... encryption uses AES-256-CBC..."

T1497Virtualization/Sandbox EvasionEvidence1

“.NET Reactor obfuscation, complete with a 14-day expiry timer and anti-debugging checks.”

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1

“.NET Reactor obfuscation, complete with a 14-day expiry timer and anti-debugging checks.”

Command and Control

2 techniques
T1090.001Internal ProxyEvidence1

“silently deploying a hidden proxy on localhost port 7152 that relays traffic to an external, attacker-controlled server.”

T1572Protocol TunnelingEvidence1

"deploy a stage-2 binary - a localhost proxy on port 7152 that relays traffic... to the attacker's external C2 server"

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

“route it to the attacker’s server through the local proxy.”

Other

1 technique
T1562.001Disable or Modify ToolsEvidence1

"It checks Debugger.IsAttached and throws 'Debugger Detected'... [SuppressIldasm] attributes... RSA signature verification to detect tampering."

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
the hacker newsNews
Feb 25, 2026
Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware

Stage-1 execution-on-load dropper delivered as a malicious NuGet package. On assembly load it installs JIT compiler hooks to decrypt embedded payloads and deploy a stage-2 localhost proxy (port 7152) that relays traffic between companion malicious packages and an external C2 whose address is resolved dynamically at runtime.

Read more
socket blogNews
Feb 23, 2026
Four Malicious NuGet Packages Target ASP.NET Developers With...

Malicious NuGet package that typosquats the legitimate NCrypto library and executes on assembly load via a static constructor. It uses heavy .NET obfuscation (unregistered .NET Reactor, time-bomb, anti-debug/anti-tamper) and JIT compiler hooking to decrypt embedded payloads at runtime, then deploys a stage-2 component that establishes a localhost:7152 proxy/tunnel to attacker-controlled C2. Can also be executed standalone via rundll32 using an exported ordinal #1 entry point.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.