This threat involves an initial access broker group identified as TGR-CRI-0045 exploiting leaked Machine Keys from ASP.NET web applications to gain unauthorized access to targeted organizations. Machine Keys in ASP.NET are cryptographic keys used to protect View State data, authentication tokens, and other sensitive information. If these keys are leaked or compromised, attackers can manipulate or forge View State data, enabling deserialization attacks that execute arbitrary code in server memory. The attackers leverage ASP.NET View State deserialization vulnerabilities to run malicious payloads directly in memory, which reduces forensic footprints and complicates detection. After initial access, the threat actors deploy post-exploitation tools to maintain persistence and escalate privileges within the compromised environment. The campaign, active since October 2024 with heightened activity from January to March 2025, targets industries including finance, manufacturing, and technology sectors primarily in Europe and the United States. The group’s tactics and indicators overlap with those attributed to the Gold Melody threat actor, suggesting possible linkage. The exploitation technique focuses on abusing leaked cryptographic keys rather than exploiting software vulnerabilities directly, making traditional patching ineffective. Organizations are advised to audit and rotate Machine Keys following Microsoft's remediation guidance to invalidate compromised keys and prevent further exploitation. Indicators of compromise include multiple IP addresses and file hashes associated with the attack infrastructure and payloads. The attack chain involves initial access via crafted View State payloads, in-memory execution of malicious code, and subsequent lateral movement and privilege escalation using known techniques such as token manipulation and service persistence. The threat leverages IIS-hosted ASP.NET applications, which are prevalent in enterprise environments, making this a significant risk vector for organizations relying on this technology stack.

For European organizations, the exploitation of leaked Machine Keys poses a substantial risk to confidentiality, integrity, and availability of critical systems. Successful exploitation allows attackers to bypass authentication mechanisms, execute arbitrary code in memory, and maintain stealthy persistence. This can lead to unauthorized data access, theft of intellectual property, disruption of business operations, and potential regulatory non-compliance under GDPR due to data breaches. The targeted sectors—finance, manufacturing, and technology—are vital to the European economy and infrastructure, amplifying the potential economic and reputational damage. The in-memory execution and minimal forensic artifacts complicate incident detection and response, increasing dwell time and potential damage. Additionally, the use of post-exploitation tools for privilege escalation can enable attackers to move laterally and compromise additional systems, escalating the scope of impact. Given the campaign’s ongoing activity and targeting of European entities, organizations face an elevated threat environment requiring immediate attention to secure ASP.NET applications and cryptographic assets.

1. Immediately audit all ASP.NET applications for exposure of Machine Keys, including checking source code repositories, configuration files, and deployment pipelines for accidental leaks. 2. Rotate and regenerate Machine Keys following Microsoft's official guidance to invalidate any leaked keys and prevent their reuse by attackers. 3. Implement strict access controls and encryption for configuration files and secrets management to protect cryptographic keys. 4. Enable and monitor ASP.NET View State MAC validation to detect tampering attempts and reject invalid View State data. 5. Deploy runtime application self-protection (RASP) or Web Application Firewalls (WAF) configured to detect and block malicious View State deserialization payloads. 6. Enhance logging and monitoring for IIS and ASP.NET applications focusing on unusual deserialization events, process injections, and anomalous network connections. 7. Conduct threat hunting exercises using the provided IoCs (IP addresses, hashes) to identify potential compromises. 8. Harden post-exploitation detection by monitoring for privilege escalation techniques such as token manipulation and service creation. 9. Educate development and operations teams on secure handling of cryptographic keys and secure coding practices to prevent future leaks. 10. Regularly update and patch IIS and ASP.NET frameworks to mitigate other potential vulnerabilities that could be chained with this attack.