Full Report
An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attacker's infrastructure, campaign and offer takeaways for blue teams. The post GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed appeared first on Unit 42.
Analysis Summary
# Threat Actor: TGR-CRI-0045
## Attribution & Identity
**Threat Actor:** Initial Access Broker (IAB) tracked provisionally as TGR-CRI-0045.
**Attribution:** Assessed with medium confidence to be Gold Melody (also known as UNC961 or Prophet Spider), based on overlapping Indicators of Compromise (IoCs), TTPs, and victimology.
**Aliases and Associated Groups:** Gold Melody, UNC961, Prophet Spider.
## Activity Summary
TGR-CRI-0045 operates as an Initial Access Broker (IAB), breaching organizations and then selling that access to secondary threat actors.
The activity observed began in October 2024, leading to a significant surge in exploitation between late January and March 2025. The primary method involves exploiting leaked ASP.NET Machine Keys (cryptographic keys) to gain unauthorized server access. The group deployed post-exploitation tools, including open-source port scanners and custom utilities for persistence and privilege escalation. Approximately a dozen organizations were identified as impacted victims.
## Tactics, Techniques & Procedures
- Exploitation of leaked ASP.NET Machine Keys.
- Utilizing **ASP.NET View State deserialization** to execute malicious payloads directly in server memory, minimizing on-disk presence and forensic artifacts.
- Deployment of post-exploitation tooling.
- Implementing persistence mechanisms.
- Executing privilege escalation.
- Use of open-source port scanners.
- **MITRE ATT&CK IDs (Inferred):** Execution (implied by payload delivery/deserialization), Persistence, Privilege Escalation.
## Targeting
**Sectors:** Financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics.
**Geography:** Europe and the U.S.
**Victims:** Around a dozen organizations impacted; root cause identified as exposed Machine Keys in most cases.
## Tools & Infrastructure
**Malware Families Used:** Custom-built utilities for persistence and privilege escalation; open-source port scanners.
**Infrastructure:** Infrastructure details for gathering information and maintaining access (C2, domains, IPs) were analyzed but not specifically detailed for defanging in the summary excerpts provided beyond generic mentions of tooling analysis.
## Implications
The actor functions as a critical enabler for other threat groups by selling initial access. The use of ASP.NET View State deserialization techniques significantly challenges traditional detection methods by keeping malicious payloads primarily in memory. The tooling appears to be under active development.
## Mitigations
- Review and implement Microsoft’s guidance on identifying and remediating compromised Machine Keys for ASP.NET Internet Information Services (IIS) sites immediately.
- Employ security solutions capable of detecting in-memory execution and View State deserialization attacks (e.g., ML-based sandboxing, advanced endpoint protection).