Exploitation of Leaked Machine Keys by Initial Access Broker
Essential information
- Published
- 09/07/2025 13:25
- Modified
- 13/07/2025 10:33
- Tags
- 2025-07-09 asp.net iis in-memory execution initial access broker machine keys post-exploitation privilege-escalation txportmap updf view state deserialization
- Related entities
- 21 observables, 1 intrusion sets (apt), 12 techniques (mitre), 2 malware, 6 others
Description
An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to execute malicious payloads in server memory, minimizing forensic artifacts. The attackers deployed post-exploitation tools for persistence and privilege escalation. The campaign began in October 2024, with increased activity from January to March 2025. Organizations are advised to review and remediate compromised Machine Keys following Microsoft's guidance. The threat group is possibly linked to Gold Melody based on overlapping indicators and tactics.