Early Access Broker (IAB) known as Gold Melody You can gain unauthorized access to your organization and make other threat access due to campaigns that have leaked your ASP.NET machine key.
Activities are tracked by Palo Alto Network Unit 42 under Monica TGR-CRI-0045“TGR” refers to a “temporary group” and “CRI” refers to the motives of a crime. The hacking group is also known as the Prophet Spider and UNC961, and one of its tools is also used by an early access broker called Toymaker.
“The group appears to follow an opportunistic approach, but attacks European and US organizations in the following industries: financial services, manufacturing, wholesale and retail, high-tech, transportation and logistics.”
Wild’s ASP.NET machine key abuse was first documented by Microsoft in February 2025, saying the company has identified such public keys that can be weaponized to view over 3,000 such public keys, ultimately leading to arbitrary code execution.
The first indication of these attacks was detected by Windows Maker in December 2024. It leveraged static ASP.NET machine keys that are publicly available to unknown enemies, injecting malicious code and providing a Godzilla post-explosion framework.
According to an analysis of Unit 42, TGR-CRI-0045 follows a similar modus operandi, using leaked keys to sign malicious payloads that provide unauthorized access to the target server, a technique known as ASP.NET View-State degassing.
“This technique allowed IAB to directly execute malicious payloads in server memory, minimizing disk presence, leaving almost all forensic artifacts, making detection even more difficult,” the cybersecurity company said, finding evidence of early exploitation in October 2024.
Unlike traditional web shell implants and file-based payloads, this memory resident approach bypasses many legacy EDR solutions that rely on file systems or process tree artifacts. Organizations that rely solely on file integrity monitoring or anti-virus signatures can miss out on intrusions entirely, and it can be important to implement behavior detection based on anomalous IIS request patterns, child processes generated by W3WP.exe, or sudden changes in the behavior of .NET applications.
A significant surge in activity is said to have been detected between late January and March 2025. Meanwhile, the attacks have led to the deployment of custom C# programs such as post-explosion tools such as open source port scanners and UPDF for local privilege escalation.
In at least two incidents observed in unit 42, the attack is characterized by a command shell execution originating from an Internet Information Services (IIS) web server. Another notable aspect is that they are likely to build an open source .NET deintervention payload generator called Ysoserial.net and Payloads.
These payloads bypass ViewState protection and trigger the execution of in-memory .NET assemblies. So far, five different IIS modules have been identified as being loaded into memory –
- CMD/C is used to pass commands to be executed to the system’s command shell and to execute any instructions on the server
- File upload. This allows files to be uploaded to the server by specifying a byte buffer containing the target file path and the file’s contents.
- Winner, this is probably a check of the success of exploitation
- File download (not recovered). This looks like a downloader that allows an attacker to retrieve sensitive data from a compromised server
- Reflective loader (not recovered). This appears to act as a reflective loader for dynamically loading and running additional .NET assemblies in memory without leaving the trail
“Between October 2024 and January 2025, the activities of threat actors were primarily focused on system exploitation, deployment of modules like exploit checkers, and performing basic shell reconnaissance,” Unit 42 said. “Post-explosion activities primarily involve reconnaissance of compromised hosts and surrounding networks.”
Other tools downloaded to the system include an ELF binary (“195.123.240(.) 233:443”) from an external server named ELF binary (“195.123.240(.) 233:443”) and a Golang port scanner called TxportMap, which maps internal networks to identify potential exploitative targets.
“TGR-CRI-0045 uses a simple approach to view viewing viewing and loading a single stateless assembly directly,” the researchers said. “Each command requires reuse and re-uploading of assembly (for example, run file upload assembly multiple times).”
“The deaeration surface vulnerability in ASP.NET views through exposed machine keys allows for minimal disk presence and long-term access. Group opportunistic targeting and ongoing tool development highlights organizations’ compromised machine key identification and prioritization.”
The campaign also highlights a wide range of major cryptographic exposure threats, including low MachineKey generation policies, missing MAC validation, and unstable defaults for older ASP.NET applications. It helps organizations to build more resilient AppSec and identity protection strategies, including encryption integrity risks, ViewState Mac tampering, and IIS middleware abuse.
