Researchers from Palo Alto Networks' Unit 42 have uncovered an ongoing campaign involving a threat actor tracked as TGR-CRI-0045, believed to be linked to the broader group Gold Melody (also known as UNC961 or Prophet Spider). The campaign exploits leaked Machine Keys used in ASP.NET applications, enabling attackers to breach organizations across Europe and the United States.
The term ‘initial access brokers (IABs)’ refers to threat actors that compromise organizations to sell access to other cybercriminals. In the observed campaign, the attacker has used stolen Machine Keys to sign malicious View State payloads, a method known as ASP.NET View State deserialization. The technique allows code execution directly in server memory, minimizing their on-disk presence and leaving few forensic artifacts.
Unit 42 reports that TGR-CRI-0045 has focused on industries including financial services, high tech, manufacturing, transportation, and retail. The earliest signs of activity date back to October 2024, with a significant uptick observed between January and March 2025. During this period, the group deployed a combination of open-source scanning tools and custom utilities to maintain persistence and escalate privileges on compromised systems.
Attackers loaded .NET assemblies directly into memory using reflective loading and exploited deserialization vulnerabilities to inject their payloads via the View State mechanism. The campaign leveraged known tools like ysoserial.net to craft the payloads.
In several cases, post-exploitation actions included downloading an ELF binary named atm, suggesting potential preparation for cross-platform attacks, although no lateral movement was observed as of early June.
The updf binary, a custom tool used for privilege escalation, appears to be actively developed, the researchers said.
“The group's opportunistic targeting and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised Machine Keys. The single-shot nature of the exploit and limitations of traditional telemetry show the need for conditional POST request logging and careful ASP.NET event log analysis. These measures aid detection and response when endpoint solutions lack visibility into such attacks,” the reportadvises.
