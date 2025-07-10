Network Security, Threat Intelligence
Exposed ASP.NET machine keys leveraged for network infiltration
Attacks leveraging exposed ASP.NET machine keys have been deployed by initial access broker Gold Melody, also known as UNC961 and Prophet Spider, to facilitate network compromise as part of the TGR-CRI-0045 campaign, with such access later sold to other illicit actors, The Hacker News reports. Gold Melody used the ASP.NET machine keys to enable direct in-memory execution of malicious payloads while ensuring covert operations, an analysis from Palo Alto Networks Unit 42 researchers showed. Intensified intrusions from late January to March resulted in the delivery of open-source port scanners and other post-exploitation tools. Unit 42 researchers noted that attacks from Internet Information Services servers allowed in-memory execution of a .NET assembly and the download of other tools for reconnaissance while circumventing ViewState defenses. "The group's opportunistic targeting and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised Machine Keys," said researchers.
