The Initial Access Broker (IAB) known as Gold Melody has been attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and peddle that access to other threat actors.
The activity is being tracked by Palo Alto Networks Unit 42 under the moniker TGR-CRI-0045, where “TGR” stands for “temporary group” and “CRI” refers to criminal motivation. The hacking group is also known as Prophet Spider and UNC961, with one of its tools also used by an initial access broker called ToyMaker.
“The group seems to follow an opportunistic approach but has attacked organizations in Europe and the U.S. in the following industries: financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics,” researchers Tom Marsden and Chema Garcia said.
The abuse of ASP.NET machine keys in the wild was first documented by Microsoft in February 2025, with the company noting that it had identified over 3,000 such publicly disclosed keys that could be weaponized for ViewState code injection attacks, ultimately leading to arbitrary code execution.
The first sign of these attacks was detected by the Windows maker in December 2024, when an unknown adversary leveraged a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
Unit 42’s analysis shows that the TGR-CRI-0045 is following a similar modus operandi, employing the leaked keys to sign malicious payloads that provide unauthorized access to targeted servers, a technique known as ASP.NET ViewState deserialization.
“This technique enabled the IAB to execute malicious payloads directly in server memory, minimizing their on-disk presence and leaving few forensic artifacts, making detection more challenging,” the cybersecurity company said, adding it found evidence of earliest exploitation in October 2024.
Unlike traditional web shell implants or file-based payloads, this memory-resident approach bypasses many legacy EDR solutions that rely on file system or process tree artifacts. Organizations relying solely on file integrity monitoring or antivirus signatures may completely miss the intrusion, making it critical to implement behavioral detections based on anomalous IIS request patterns, child processes spawned by w3wp.exe, or sudden changes in .NET application behavior.
A significant spike in activity is said to have been detected between late January and March 2025, during which period the attacks led to the deployment of post-exploitation tools such as open-source port scanners and bespoke C# programs like updf for local privilege escalation.
In at least two incidents observed by Unit 42, the attacks are characterized by command shell execution originating from Internet Information Services (IIS) web servers. Another notable aspect is the likely use of an open-source .NET deserialization payload generator called ysoserial.net and ViewState plugin to build the payloads.
These payloads bypass ViewState protections and trigger the execution of a .NET assembly in memory. Five different IIS modules have been identified as loaded into memory so far –
- Cmd /c, which is used to passing a command to be executed to the system’s command shell and execute arbitrary instructions on the server
- File upload, which allows for uploading files to the server by specifying a target file path and a byte buffer containing the file’s contents
- Winner, which is likely a check for successful exploitation
- File download (not recovered), which appears to be a downloader that allows an attacker to retrieve sensitive data from the compromised server
- Reflective loader (not recovered), which seemingly acts as a reflective loader to dynamically load and execute additional .NET assemblies in memory without leaving a trail
“Between October 2024 and January 2025, the threat actor’s activity primarily focused on exploiting systems, deploying modules — like the exploit checker — and performing basic shell reconnaissance,” Unit 42 said. “Post-exploitation activity has primarily involved reconnaissance of the compromised host and surrounding network.”
Some of the other tools downloaded onto the systems include an ELF binary named atm from an external server (“195.123.240[.]233:443”) and a Golang port scanner called TXPortMap to map out the internal network and identify potential exploitation targets.
“TGR-CRI-0045 uses a simplistic approach to ViewState exploitation, loading a single, stateless assembly directly,” the researchers noted. “Each command execution requires re-exploitation and re-uploading the assembly (e.g., running the file upload assembly multiple times).”
“Exploiting ASP.NET View State deserialization vulnerabilities via exposed Machine Keys allows minimal on-disk presence and enables long-term access. The group’s opportunistic targeting and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised Machine Keys.”
This campaign also highlights a broader category of cryptographic key exposure threats, including weak machineKey generation policies, missing MAC validation, and insecure defaults in older ASP.NET applications. Expanding internal threat models to include cryptographic integrity risks, ViewState MAC tampering, and IIS middleware abuse can help organizations build more resilient AppSec and identity protection strategies.
About The Author
Original post here
