Full Report
Unit 42 researchers uncovered a campaign by a threat actor they call TGR-CRI-0045—assessed with medium confidence to be part of the Gold Melody (UNC961/Prophet Spider) group—targeting ASP.NET IIS servers using compromised Machine Keys. This group, acting as an Initial Access B...
Analysis Summary
# Threat Actor: TGR-CRI-0045
## Attribution & Identity
* **Identified By:** Unit 42 researchers.
* **Attribution:** Assessed with medium confidence to be part of the **Gold Melody (UNC961/Prophet Spider)** group.
* **Function:** Operating as an Initial Access Broker (IAB).
## Activity Summary
Unit 42 uncovered a campaign beginning in late 2024 with a surge in early 2025. The actor targeted ASP.NET IIS servers using compromised Machine Keys to achieve in-memory execution of payloads, avoiding disk-based traces. The goal appears to be gaining initial access for subsequent sale or compromise activities typical of an IAB.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting ASP.NET View State deserialization vulnerabilities.
* **Credential/Key Compromise:** Utilizing stolen or leaked Machine Keys to craft malicious View State payloads.
* **Execution:** Executing in-memory payloads via IIS’s `w3wp.exe` process.
* **Persistence (Evasion):** Discretely re-uploading and re-executing payloads for each command, avoiding traditional persistent web shells.
* **Privilege Escalation:** Employing the **GodPotato** exploit.
* **Defense Evasion:** Using disguised binaries (e.g., `updf.exe`) to create admin users.
* **Reconnaissance:** Conducting detailed host and network reconnaissance.
* **MITRE ATT&CK IDs (Implied/Observed):** Token forgery, Webshell deployment (though in-memory).
## Targeting
* **Sectors:** Critical sectors (specific industries not detailed, but implied high value targets).
* **Geography:** Organizations in the U.S. and Europe.
* **Victims:** At least a dozen organizations affected.
* **Targeted Technologies:** Microsoft IIS, specifically ASP.NET components.
## Tools & Infrastructure
* **Malware Families/Payloads:** Custom modules for command execution, file upload, and privilege escalation.
* **Tools Used:**
* `ysoserial.net` (for generating malicious View State payloads).
* `TxPortMap` (utility used during reconnaissance).
* `updf.exe` (disguised binary used to create admin users).
* **Infrastructure:** Not explicitly detailed beyond the use of compromised secrets (Machine Keys).
## Implications
The threat actor leverages sophisticated, low-footprint techniques (in-memory execution via deserialization) to gain initial access onto high-value IIS servers. Their role as an IAB means successful compromise can quickly lead to secondary threat actors gaining a foothold. The use of compromised Machine Keys suggests a supply-chain compromise or extensive prior access to organization secrets.
## Mitigations
* Immediately rotate or reissue Machine/Validation Keys across all ASP.NET applications, especially if they may have been compromised or leaked.
* Implement strong input validation and serialization safety measures for ASP.NET View State to prevent deserialization attacks.
* Monitor the `w3wp.exe` process for unexpected memory allocations or execution flows associated with View State processing.
* Monitor for the appearance of tools like `TxPortMap` or suspicious user creation activity (`updf.exe`).
* Implement effective endpoint detection and response (EDR) capable of detecting in-memory code execution.