NPPSPY

NPPSPY opens a new network listener for the mpnotify.exe process that is typically contacted by the Winlogon process in Windows. A new, alternative RPC channel is set up with a malicious DLL recording plaintext credentials entered into Winlogon, effectively intercepting and redirecting the logon information.^[1]

NPPSPY collection is automatically recorded to a specified file on the victim machine.^[1]

NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.^[1]

NPPSPY creates a network listener using the misspelled label logincontroll recorded to the Registry key HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.^[1]

NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.^[1]

NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process.^[1]

NPPSPY captures credentials by recording them through an alternative network listener registered to the mpnotify.exe process, allowing for cleartext recording of logon information.^[1]