Unit 42 researchers uncovered a campaign by a threat actor they call TGR-CRI-0045—assessed with medium confidence to be part of the Gold Melody (UNC961/Prophet Spider) group—targeting ASP.NET IIS servers using compromised Machine Keys. This group, acting as an Initial Access Broker (IAB), exploited ASP.NET View State deserialization vulnerabilities to execute in-memory payloads without leaving detectable traces on disk. The attacks began in late 2024, with a notable surge in early 2025, affecting at least a dozen organizations across critical sectors in the U.S. and Europe.
The attackers used stolen or leaked Machine Keys to craft malicious View State payloads, often generated via tools like ysoserial.net, and executed them in memory via IIS’s w3wp.exe process. Payloads included custom modules for command execution, file upload, and privilege escalation (via the GodPotato exploit). The group also conducted detailed host and network reconnaissance, deployed utilities like TxPortMap, and used disguised binaries (e.g., updf.exe) to create admin users. Despite not deploying persistent web shells, their exploitation method—requiring re-upload and re-execution for each command—enabled discreet, low-footprint intrusions.