The Initial Access Broker (IAB) named Gold Melody exploits leaked ASP.NET machine keys for unauthorized access to various organizations. This activity, tracked by Palo Alto Networks' Unit 42 as TGR-CRI-0045, affects sectors including financial services, manufacturing, and logistics. Microsoft documented the abuse of these keys in February 2025, with evidence of previous exploitation dating back to December 2024. Gold Melody's approach involves using the leaked keys to conduct ViewState deserialization attacks, allowing for execution of malicious payloads with minimal detection likelihood due to reduced forensic artifacts.
"This technique enabled the IAB to execute malicious payloads directly in server memory, minimizing their on-disk presence and leaving few forensic artifacts, making detection more challenging."
"The group seems to follow an opportunistic approach but has attacked organizations in Europe and the U.S. in the following industries: financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics."
Collection
[
|
...
]