{
  "name": "Four Malicious NuGet Packages Target ASP.NET Developers With JIT Hooking and Credential Exfiltration",
  "slug": "four-malicious-nuget-packages-target-aspnet-developers-with-jit-hooking-and-credential-exfiltration",
  "description": "A NuGet supply chain attack involving four malicious packages targeting ASP.NET web application developers has been discovered. The campaign deploys a multi-stage payload where NCryptYo acts as a dropper, establishing a local proxy, while companion packages exfiltrate ASP.NET Identity data and accept threat actor-controlled authorization rules, creating backdoors in victim applications. The packages, published between August 12-21, 2024, have accumulated over 4,500 downloads. The attack uses obfuscation, JIT compiler manipulation, and a two-stage architecture to evade detection. The campaign's objective is to compromise applications during development, gaining access to deployed production instances by controlling the authorization layer.",
  "published": "2026-02-24T07:04:58+00:00",
  "created_at": "2026-02-24T07:04:58+00:00",
  "modified_at": "2026-02-24T07:53:04+00:00",
  "created_at_opencti": "2026-02-24T07:04:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-24",
    "asp.net",
    "backdoor",
    "credential-exfiltration",
    "domoauth2_",
    "iraoauth2.0",
    "jit-manipulation",
    "ncryptyo",
    "nuget",
    "obfuscation",
    "simplewriter_",
    "supply chain attack",
    "typosquatting"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "6d64d0ca9b3262eb00396e2c441a389fb748b750a3f16b8d086456cc3364d397"
      },
      {
        "id": "",
        "name": "7c1a9a681411c528ee2bd291450d955f9d599a03cf34a530d9c526451c63c0aa"
      },
      {
        "id": "",
        "name": "44f3766323d813752e9ec879edf17a284f5ed971f814777f18f5e8f83c1ff5ba"
      },
      {
        "id": "",
        "name": "c2ac85bcbf38c6a4e1b4ba971742f126eb0deaf486b7bd396858d98a3773de73"
      }
    ],
    "malware": [
      {
        "id": "19a61539-3bea-4da6-9117-2f856c6bb003",
        "name": "DOMOAuth2_",
        "slug": "domoauth2"
      },
      {
        "id": "ab5d2402-2541-4d89-b6e4-67004a409396",
        "name": "SimpleWriter_",
        "slug": "simplewriter"
      },
      {
        "id": "38b6b1ac-189b-4190-9b98-314d7a3724be",
        "name": "NCryptYo",
        "slug": "ncryptyo"
      },
      {
        "id": "c331d83b-b0a5-44e5-9c45-039d5e43b020",
        "name": "IRAOAuth2.0",
        "slug": "iraoauth20"
      }
    ],
    "intrusion_sets": [
      {
        "id": "1f172343-ab26-4173-8212-16e4c6786f95",
        "name": "hamzazaheer",
        "slug": "hamzazaheer"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ]
  },
  "external_refs": [
    "https://socket.dev/blog/four-malicious-nuget-packages-target-asp-net-developers-with-jit-hooking-and-credential",
    "https://otx.alienvault.com/pulse/699d5baa21c5722498f88433"
  ]
}