The first access broker (IAB), known as Gold Melody, is attributed to a campaign where they leak ASP.NET machine keys to gain unauthorized access to their organizations and gain access to other threat access people.
This activity is tracked by Palo Alto Networks Unit 42 under the moniker TGR-CRI-0045, in which “TGR” represents “temporary groups” and “CRI”. The hacking group is also known as the Prophet Spider and UNC961, and one of its tools is also used by an early access broker called Toymaker.
“The group appears to follow an opportunistic approach, but attacks European and US organizations in the following industries: financial services, manufacturing, wholesale and retail, high-tech, transportation and logistics.”
Wild’s ASP.NET machine key abuse was first documented by Microsoft in February 2025, saying the company has identified such public keys that can be weaponized to view over 3,000 such public keys, ultimately leading to arbitrary code execution.
The first indication of these attacks was detected by Windows Maker in December 2024. It leveraged static ASP.NET machine keys that are publicly available to unknown enemies, injecting malicious code and providing a Godzilla post-explosion framework.
According to an analysis of Unit 42, TGR-CRI-0045 follows a similar modus operandi, using leaked keys to sign malicious payloads that provide unauthorized access to the target server, a technique known as ASP.NET View-State degassing.
“This technique allowed IAB to directly execute malicious payloads in server memory, minimizing disk presence, leaving almost all forensic artifacts, making detection even more difficult,” the cybersecurity company said, finding evidence of early exploitation in October 2024.
Unlike traditional web shell implants and file-based payloads, this memory resident approach bypasses many legacy EDR solutions that rely on file systems or process tree artifacts. Organizations that rely solely on file integrity monitoring or anti-virus signatures can miss out on intrusions entirely, and it can be important to implement behavior detection based on anomalous IIS request patterns, child processes generated by W3WP.exe, or sudden changes in the behavior of .NET applications.
A significant surge in activity is said to have been detected between late January and March 2025. Meanwhile, the attacks have led to the deployment of custom C# programs such as post-explosion tools such as open source port scanners and UPDF for local privilege escalation.
In at least two incidents observed in unit 42, the attack is characterized by a command shell execution originating from an Internet Information Services (IIS) web server. Another notable aspect is that they are likely to build an open source .NET deintervention payload generator called Ysoserial.net and Payloads.
These payloads bypass ViewState protection and trigger the execution of in-memory .NET assemblies. So far, five different IIS modules have been identified as being loaded into memory –
CMD/C is run to the system’s command shell and is used to pass commands that execute any instructions in server file uploads. This allows you to upload the file to the server by specifying a byte buffer containing the file’s content file. Reflective loader (not recovered). This appears to act as a reflective loader for dynamically loading and running additional .NET assemblies in memory without leaving the trail
“Between October 2024 and January 2025, the activities of threat actors were primarily focused on system exploitation, deployment of modules like exploit checkers, and performing basic shell reconnaissance,” Unit 42 said. “Post-explosion activities primarily involve reconnaissance of compromised hosts and surrounding networks.”
Other tools downloaded to the system include an ELF binary named ATM from an external server (195.123.240[.]233:443″ and Golang port scanners, called Txportmap, map internal networks and identify potential exploitation goals.
“TGR-CRI-0045 uses a simple approach to view viewing viewing and loading a single stateless assembly directly,” the researchers said. “Each command requires reuse and re-uploading of assembly (for example, run file upload assembly multiple times).”
“The vulnerability of deaeration surfaces through exposed machine keys in ASP.NET views allows for minimal disk presence and long-term access. Group opportunistic targeting and ongoing tool development highlights organizations’ compromised machine key identification and prioritization.”
The campaign also highlights a wide range of major cryptographic exposure threats, including low MachineKey generation policies, missing MAC validation, and unstable defaults for older ASP.NET applications. It helps organizations to build more resilient AppSec and identity protection strategies, including encryption integrity risks, ViewState Mac tampering, and IIS middleware abuse.
Source link
