Hackers Exploit IIS Machine Keys to Breach Organizations

A sophisticated campaign by an initial access broker (IAB) group exploiting leaked Machine Keys from ASP.NET websites to gain unauthorized access to targeted organizations.

The threat group, tracked as TGR-CRI-0045, has been active since October 2024 with a significant surge in attacks between January and March 2025, targeting organizations across Europe and the United States in sectors including financial services, manufacturing, retail, and transportation.

TGR-CRI-0045 employs a sophisticated technique called ASP.NET View State deserialization to execute malicious payloads directly in server memory, significantly reducing their forensic footprint.

The attackers leverage publicly available lists of compromised Machine Keys—cryptographic keys used to protect ASP.NET View States—to craft malicious deserialization payloads that bypass built-in security protections.

The group utilizes tools like ysoserial.net to generate these payloads, which are delivered through the __VIEWSTATE parameter in HTTP requests.

Once processed, the malicious code executes within the context of the IIS worker process, allowing attackers to run commands, upload files, and maintain access without leaving traditional indicators on disk.

This “single-shot” exploit approach requires separate attempts for each command execution, creating a 1:1 ratio between exploit attempts and command executions.

Unit 42 researchers identified five distinct .NET assemblies used in these attacks, including command execution modules, file upload capabilities, and exploitation verification tools.

The threat actor consistently uses C:WindowsTemp111t as a staging directory and employs custom tools like “updf”—a disguised privilege escalation binary utilizing the GodPotato exploit—to achieve SYSTEM-level access on compromised hosts.

Attribution Points

Researchers assess with medium confidence that TGR-CRI-0045 is linked to Gold Melody (also known as UNC961 or Prophet Spider), based on overlapping indicators of compromise, tactics, techniques, and victimology patterns and Exploit Checker.

The group demonstrates an opportunistic targeting approach consistent with their attack methodology, focusing primarily on U.S.-based organizations across diverse industries.

The threat actor’s post-exploitation activities include extensive reconnaissance using both built-in Windows commands and custom tools like TxPortMap, a Golang-based port scanner.

However, researchers noted no evidence of lateral movement as of early June 2025, suggesting the group’s primary focus remains on establishing and maintaining initial access for potential sale to other threat actors.

Critical Infrastructure Vulnerabilities

The campaign highlights significant blind spots in traditional security monitoring, as View State deserialization attacks can be virtually invisible without proper telemetry.

The technique’s reliance on POST requests, which are often not logged by standard security infrastructure, creates additional detection challenges for organizations.

Microsoft and security experts strongly recommend that organizations immediately review their ASP.NET implementations for compromised Machine Keys and ensure View State message authentication code (MAC) signing is enabled.

Organizations should implement conditional POST request logging, monitor Windows Event ID 1316 for View State deserialization failures, and consider deploying endpoint detection solutions capable of detecting reflective .NET assembly loading.

The discovery underscores the evolving sophistication of initial access brokers and the critical need for organizations to address fundamental cryptographic vulnerabilities in their web infrastructure before they become entry points for more damaging attacks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.