Unit 42 researchers have uncovered a sophisticated campaign led by an initial access broker (IAB) exploiting leaked Machine Keys—critical cryptographic keys used on ASP.NET sites—to breach organizations across Europe and the United States.
The group, tracked as TGR-CRI-0045 and linked with medium confidence to the cybercrime entity Gold Melody (also known as UNC961 and Prophet Spider), has targeted a diverse range of industries, including financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics.
The Attack: Exploiting View State Deserialization
The attackers leveraged leaked Machine Keys to craft and sign malicious payloads, exploiting a vulnerability in ASP.NET’s View State mechanism.
View State is designed to maintain the state of web controls between user requests and is protected by Machine Keys (ValidationKey and DecryptionKey).
If these keys are exposed, attackers can generate valid cryptographic signatures, bypassing security protections and enabling remote code execution directly within the memory of the IIS server.
This in-memory approach minimizes on-disk artifacts, making detection and forensic analysis extremely challenging.
TGR-CRI-0045 used open-source tools like ysoserial.net to generate deserialization payloads, often employing the XamlAssemblyLoadFromFile gadget to load .NET assemblies in memory.
Each attack required a new payload, as the exploit was “single-shot,” meaning every command execution involved a fresh exploitation attempt. This method allowed the group to:
- Execute arbitrary commands on the server via custom .NET assemblies.
- Upload and download files, including staging malicious binaries.
- Perform reconnaissance on the compromised host and its network.
- Achieve privilege escalation using custom tools (notably a binary named
updfthat abuses the GodPotato exploit to obtain SYSTEM privileges).
Post-Exploitation Tactics and Defense Evasion
Following successful exploitation, TGR-CRI-0045 focused on reconnaissance and maintaining access. The group consistently used the directory C:\Windows\Temp\111t as a staging area for tools and data.
Reconnaissance commands included listing processes, network configurations, user accounts, and system information.
The attackers also deployed port scanners like TxPortMap to map internal networks for further exploitation opportunities.
To evade detection, the group often uploaded executables with short, extensionless filenames, later renaming them to blend in with legitimate files.
After their operations, the attackers deleted the tools and staging directories to erase traces of their activities.
Notably, the group avoided deploying persistent web shells, relying instead on repeated, in-memory exploitation to maintain access, which further reduced their forensic footprint.
Industry Impact and Defensive Recommendations
Unit 42’s analysis indicates that at least a dozen organizations have been impacted, with exposed Machine Keys identified as the primary root cause in most cases.
The opportunistic nature of TGR-CRI-0045’s targeting underscores the widespread risk posed by reused or leaked Machine Keys in production environments.
Key recommendations for organizations include:
- Review and remediate compromised Machine Keys by following Microsoft’s guidance and ensuring View State MAC signing is enabled.
- Implement conditional logging of POST requests to capture potential exploitation attempts, as these are rarely logged by default but often used to deliver malicious View State payloads.
- Monitor Windows event logs (specifically Event ID 1316) for signs of View State deserialization failures, which may indicate active exploitation.
- Adopt advanced detection and prevention tools: Palo Alto Networks customers benefit from updated WildFire machine-learning models, Advanced URL Filtering, Advanced DNS Security, and the Cortex XDR/XSIAM IIS Protection module, all of which have been enhanced to address these threats.
This campaign highlights the evolving tactics of financially motivated threat actors and the critical importance of securing cryptographic keys and maintaining robust detection capabilities for in-memory attacks targeting web infrastructure.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
