Gold Melody Hacks Servers by Leaking ASP.NET Keys

The Gold Melody hack group (also known as Prophet Spider, UNC961, TGR-CRI-0045) uses leaked ASP.NET machine keys to infiltrate corporate systems in the US and Europe. Their goal is to sell access to infected servers to other attackers.

According to Unit 42 (Palo Alto Networks), the group uses the ViewState deserialization technique, using known machine keys to execute malicious code directly in the server memory, avoiding conventional protection systems.

• Microsoft first discovered such an attack in December 2024, when more than 3,000 such keys were found in the public domain. The attackers use ysoserial.net, Godzilla framework, and C# assemblies to gain privileged access to IIS servers.
• The active phase of the campaign fell on January–March 2025. Scripts of downloading files, retrieving data, running shell commands from servers, and using reflective loaders without leaving any traces in the file system were recorded. Such attacks are difficult to detect without behavioral detectors.

Initial Access Brokers (IABs) are specialized cybercriminals who infiltrate systems and sell access to other hacker groups. Gold Melody (TGR-CRI-0045) is one such IAB that attacks companies in the finance, logistics, retail, and technology industries. Their methods are simple but effective: they achieve fileless execution of malicious code through vulnerabilities in .NET ViewState. Additionally, the launch of ELF binaries, Golang scanners (TXPortMap), and the creation of memory implants were recorded.

The Gold Melody campaign demonstrates a new level of cryptographic key leakage exploitation in the ASP.NET environment. Modern organizations need to rethink their AppSec strategies: implement behavioral analytics, strengthen control over machineKey, ViewState MAC, and IIS middleware. Static antivirus and FIM are no longer able to detect such threats.