Full Report
The Initial Access Broker (IAB) known as Gold Melody has been attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and peddle that access to other threat actors. The activity is being tracked by Palo Alto Networks Unit 42 under the moniker TGR-CRI-0045, where "TGR" stands for "temporary group" and "CRI" refers to criminal motivation.
Analysis Summary
# Threat Actor: Gold Melody (TGR-CRI-0045)
## Attribution & Identity
**Primary Aliases:** Gold Melody (Initial Access Broker - IAB), TGR-CRI-0045 (Unit 42 tracking name, reflecting criminal motivation).
**Other Known Aliases/Associations:** Prophet Spider, UNC961. Associated with tools also used by the IAB ToyMaker.
**Motivation:** Financial/Criminal, acting as an Initial Access Broker (IAB) selling unauthorized access to other threat actors.
## Activity Summary
Gold Melody is engaged in a campaign exploiting publicly leaked ASP.NET machine keys. This activity, first detected in October 2024 (with a spike between late January and March 2025), focuses on gaining unauthorized access to organizations by weaponizing these keys for ASP.NET ViewState deserialization attacks, leading to arbitrary code execution on targeted servers. The group peddles this access to others. Initial exploitation involves injecting malicious payloads (often memory-resident) to deliver post-exploitation tools, followed by reconnaissance.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting leaked ASP.NET machine keys to facilitate ViewState deserialization attacks.
- **Execution:** Signing malicious payloads using the leaked keys to execute .NET assemblies directly in server memory.
- **Defense Evasion:** Memory-resident payloads minimize on-disk presence, bypassing legacy EDR solutions relying on file system or process tree artifacts.
- **Persistence/Command and Control:** Command shell execution often originates from IIS web servers.
- **Execution Modules observed:** PowerShell-like commands (`Cmd /c`), file upload capabilities, file download capability, and a reflective loader for dynamically loading additional .NET assemblies in memory.
- **Privilege Escalation:** Use of bespoke C# programs like `updf` for local privilege escalation.
## Targeting
- **Sectors:** Financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics.
- **Geography:** Europe and the U.S.
- **Victims:** Opportunistic targeting, no specific named organizations mentioned, focusing on organizations with vulnerable IIS configurations.
## Tools & Infrastructure
- **Malware Families/Tools Used:** Godzilla post-exploitation framework (previously used by an unknown adversary leveraging this technique), open-source port scanners, `updf` (bespoke C# privilege escalation tool), TXPortMap (Golang port scanner), ELF binary named `atm`.
- **Infrastructure:** External server at `195.123.240[.]233:443` (used to serve the `atm` ELF binary).
- **Development Tools:** Likely use of `ysoserial.net` and its ViewState plugin to generate payloads.
## Implications
The reliance on memory-resident payloads against unpatched or misconfigured ASP.NET applications (specifically those with leaked machine keys) allows the threat actor to maintain persistence with minimal forensic evidence, significantly challenging traditional file-based detection mechanisms. This activity highlights a significant cryptographic integrity risk associated with insecure ASP.NET configurations.
## Mitigations
- Prioritize identifying and remediating compromised/exposed ASP.NET Machine Keys.
- Implement behavioral detections focusing on anomalous IIS request patterns.
- Monitor for child processes spawned unexpectedly by `w3wp.exe`.
- Monitor for sudden changes in .NET application behavior indicative of in-memory assembly execution.
- Expand internal threat models to cover cryptographic integrity risks, ViewState MAC tampering, and IIS middleware abuse.