The Initial Access Broker (IAB) known as Gold Melody is at the center of a campaign exploiting leaked ASP.NET machine keys to gain unauthorized access to organizations, subsequently selling that access to other malicious actors. This activity has caught the attention of Palo Alto Networks Unit 42, which is monitoring the group under the identifier TGR-CRI-0045. This name indicates "temporary group" and "criminal motivation." The group is also referred to as Prophet Spider and UNC961.
According to researchers Tom Marsden and Chema Garcia, Gold Melody appears to adopt an opportunistic strategy, making attacks particularly prevalent across industries such as financial services, manufacturing, retail, high technology, and transportation within the U.S. and Europe.
The abuse of ASP.NET machine keys is not a new issue; Microsoft revealed in February 2025 that over 3,000 such keys had been publicly disclosed, which could lead to ViewState code injection attacks—one of the critical vulnerabilities leveraged by hackers to execute arbitrary code.
Initial signs of these breaches were first detected in December 2024 when an attacker utilized a static ASP.NET machine key to inject malicious code via the Godzilla post-exploitation framework. Unit 42’s analysis indicates that TGR-CRI-0045 follows a similar approach, leveraging compromised keys to sign harmful payloads for unauthorized access, a method known as ASP.NET ViewState deserialization.
This technique allows hackers to execute harmful payloads directly in server memory, significantly reducing their footprint on disk and making detection increasingly difficult. The cybersecurity firm has noted that the earliest evidence of exploitation dates back to October 2024.
Unlike traditional web shells, which rely on file-based implants, this approach maneuvers past many legacy Endpoint Detection and Response (EDR) systems. Organizations relying solely on file integrity checks or antivirus signatures may completely overlook this type of intrusion. To combat this, experts recommend implementing behavioral detections focused on abnormal IIS request patterns, unusual child process activations, and unexpected .NET application behavior modifications.
A surge in Gold Melody’s activities was observed from late January to March 2025, during which multiple post-exploitation tools were deployed, including bespoke programs for network scanning and local privilege escalation. Notably, command shell executions were traced back to Internet Information Services (IIS) web servers during two analyzed attacks.
The group’s payloads bypass protections meant for ViewState, triggering the execution of .NET assemblies directly from memory. Laravel five different modules have been loaded into memory thus far:
- Cmd /c: Executes commands in the system’s command shell.
- File upload: Uploads files to designated server paths.
- Winner: Likely a tool for verifying successful exploitation.
- File download: A suspected downloader for extracting sensitive server data.
- Reflective loader: Possibly a tool to load additional .NET assemblies without leaving detectable evidence.
Post-exploitation, from October 2024 to January 2025, the group’s activities centered around system exploitation and reconnaissance of the compromised environment and its network. Additional tools identified from the attacks include an ELF binary and a Golang port scanner for mapping internal networks and finding further exploitation opportunities.
Unit 42 notes that Gold Melody employs a straightforward method to exploit ViewState vulnerabilities by utilizing a single, stateless assembly for commands, necessitating repeated uploads for command execution.
By exploiting vulnerabilities in ASP.NET ViewState deserialization through openly accessible machine keys, attackers maintain minimal on-disk presence while establishing long-term access. This group’s opportunistic targeting reinforces the urgent need for organizations to swiftly identify and remediate any compromised machine keys.
Furthermore, this situation spotlights broader risks associated with cryptographic key exposures, including weak generation practices and insecure defaults in older ASP.NET applications. Companies are encouraged to broaden their threat models to incorporate these risks, enhancing their application security and identity protection strategies.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.