To steal credentials, the threat actor utilized a custom DLL as a Network Provider module, a known technique documented since 2004.
Named Ntospy by Unit 42, the malware family hijacks the authentication process, accessing user credentials upon authentication attempts.
Threat actor installs the DLL module via credman Network Provider, using C:\Windows\Temp\install.bat script with reg.exe.