Gold Melody’s Stealthy Campaign: Leaked ASP.NET Machine Keys Fuel In-Memory RCE & Privilege Escalation

In a significant revelation from Unit 42, Palo Alto Networks’ threat intelligence team, researchers have uncovered a stealthy cyber campaign leveraging leaked ASP.NET Machine Keys to execute in-memory payloads on web servers, compromising organizations across the U.S. and Europe. Tracked as a temporary group dubbed TGR-CRI-0045, this operation demonstrates the persistent and evasive tactics used by Initial Access Brokers (IABs) to breach and monetize corporate environments.

“The IAB used these leaked keys to sign malicious payloads that provide unauthorized access to targeted servers, in a technique called ASP.NET View State deserialization,” the researchers noted.

The adversary appears opportunistic but has struck across financial services, high-tech, logistics, manufacturing, and wholesale sectors. Based on overlapping indicators of compromise (IoCs), tools, and victim profiles, Unit 42 attributes this activity with medium confidence to Gold Melody (also known as UNC961 or Prophet Spider).

At the heart of this campaign lies a subtle yet powerful vector: View State deserialization attacks, enabled by leaked or exposed Machine Keys. These cryptographic elements, if compromised, allow attackers to craft malicious HTTP POST requests that execute .NET assemblies directly in memory, bypassing filesystem-based detection.

“This technique enabled the IAB to execute malicious payloads directly in server memory, minimizing their on-disk presence and leaving few forensic artifacts,” Unit 42 explained.

These payloads were generated using tools such as ysoserial.net, employing gadgets like XamlAssemblyLoadFromFile to load encoded assemblies embedded within the __VIEWSTATE parameter. In most cases, no web shells were dropped, and each action—whether reconnaissance, file upload, or privilege escalation—was executed via single-shot deserialization exploits, requiring a new payload for every command.

Unit 42 identified several malicious assemblies in use:

• Cmd modules to execute arbitrary commands
• File Uploaders to implant tools
• Exploit Checkers that returned simple “win” indicators
• Downloaders and Reflective Loaders for lateral expansion

Most of these were staged in a temporary directory (C:\Windows\Temp\111t) and deleted post-use, further complicating detection.

The attackers employed a custom C# binary, updf.exe, disguising it as a PDF utility while leveraging the GodPotato exploit to escalate privileges to SYSTEM level. This binary enabled actions such as creating admin accounts and modifying ASP.NET web.config files to potentially bypass authentication.

“The updf binary appears to be under active development… using the GodPotato exploit to impersonate a privileged service and obtain SYSTEM-level access,” the report notes.

To evade detection, executables were initially uploaded with short or extension-less names and later renamed using the shell module.

TGR-CRI-0045 used tools like TxPortMap, a Golang-based port scanner and banner grabber, and downloaded Linux ELF binaries (e.g., atm) to explore lateral movement. Commands such as ipconfig /all, net user, and systeminfo were frequently issued via deserialized payloads.

What makes this campaign particularly dangerous is its low forensic footprint. POST-based deserialization payloads are rarely logged, and Windows may only log failures via Event ID 1316. Unit 42 urges defenders to:

• Rotate Machine Keys for all exposed ASP.NET apps.
• Implement logging for large POST requests.
• Monitor for anomalies in IIS worker processes (w3wp.exe).

“Even if TGR-CRI-0045 does not deploy a persistent web shell… each exploit attempt provides attackers with the opportunity to execute a payload that is possibly invisible to existing security tooling,” the researchers warned.

Related Posts:

• SERPENTINE#CLOUD: Stealthy Malware Campaign Leverages Cloudflare Tunnels for In-Memory RAT Delivery
• Microsoft releases January Patch Tuesday to fix 56 security issues
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect
• Unmasking the Menace: Trend Micro Exposes AsyncRAT’s Deception