Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to execute malicious payloads in server memory, minimizing forensic artifacts. The attackers deployed post-exploitation tools for persistence and privilege escalation. The campaign began in October 2024, with increased activity from January to March 2025. Organizations are advised to review and remediate compromised Machine Keys following Microsoft's guidance. The threat group is possibly linked to Gold Melody based on overlapping indicators and tactics.

This threat involves an initial access broker group identified as TGR-CRI-0045 exploiting leaked Machine Keys from ASP.NET web applications to gain unauthorized access to targeted organizations. Machine Keys in ASP.NET are cryptographic keys used to protect View State data, authentication tokens, and other sensitive information. If these keys are leaked or compromised, attackers can manipulate or forge View State data, enabling deserialization attacks that execute arbitrary code in server memory. The attackers leverage ASP.NET View State deserialization vulnerabilities to run malicious payloads directly in memory, which reduces forensic footprints and complicates detection. After initial access, the threat actors deploy post-exploitation tools to maintain persistence and escalate privileges within the compromised environment. The campaign, active since October 2024 with heightened activity from January to March 2025, targets industries including finance, manufacturing, and technology sectors primarily in Europe and the United States. The group’s tactics and indicators overlap with those attributed to the Gold Melody threat actor, suggesting possible linkage. The exploitation technique focuses on abusing leaked cryptographic keys rather than exploiting software vulnerabilities directly, making traditional patching ineffective. Organizations are advised to audit and rotate Machine Keys following Microsoft's remediation guidance to invalidate compromised keys and prevent further exploitation. Indicators of compromise include multiple IP addresses and file hashes associated with the attack infrastructure and payloads. The attack chain involves initial access via crafted View State payloads, in-memory execution of malicious code, and subsequent lateral movement and privilege escalation using known techniques such as token manipulation and service persistence. The threat leverages IIS-hosted ASP.NET applications, which are prevalent in enterprise environments, making this a significant risk vector for organizations relying on this technology stack.

Detailed information about Exploitation of Leaked Machine Keys by Initial Access Broker. Get real-time updates, technical details, and mitigation strategies.

Exploitation of Leaked Machine Keys by Initial Access Broker - Live Threat Intelligence - Threat Radar | OffSeq.com

Exploitation of Leaked Machine Keys by Initial Access Broker

A fileless AsyncRAT campaign is targeting German-speaking users through Clickfix-themed websites. The attack uses a fake 'I'm not a robot' prompt to execute malicious PowerShell code, which downloads and runs obfuscated C# code in memory. This technique enables full remote access, credential theft, and data exfiltration without leaving traces on the disk. The malware establishes persistence via registry keys and communicates with a command and control server on port 4444. The campaign has been active since at least April 2025, primarily affecting German-speaking regions. Mitigation strategies include blocking suspicious PowerShell activity, monitoring registry changes, and implementing in-memory scanning for threats.

This threat involves a fileless malware campaign distributing AsyncRAT, a remote access trojan, targeting primarily German-speaking users through websites themed around the 'Clickfix' concept. The attack vector leverages a fake 'I'm not a robot' CAPTCHA prompt to trick victims into executing malicious PowerShell commands. These commands then download and execute obfuscated C# code directly in memory, avoiding any disk writes and thereby evading traditional file-based detection mechanisms. The in-memory execution allows the attacker to establish full remote control over the compromised system, enabling credential theft, data exfiltration, and other malicious activities. Persistence is maintained by creating or modifying registry keys, ensuring the malware survives system reboots. Communication with the attacker’s command and control (C2) infrastructure occurs over port 4444, facilitating ongoing control and data transfer. The campaign has been active since at least April 2025 and is focused on German-speaking regions, with indicators including multiple IP addresses and the domain 'namoet.de'. The use of obfuscation and fileless techniques complicates detection and mitigation. The attack employs multiple MITRE ATT&CK techniques such as T1056.001 (Input Capture: Keylogging), T1140 (Deobfuscate/Decode Files or Information), T1059.001 (PowerShell), T1547.001 (Registry Run Keys/Startup Folder), T1571 (Non-Standard Port), T1027 (Obfuscated Files or Information), T1127.001 (Trusted Developer Utilities Proxy Execution), T1071.001 (Web Protocols), T1105 (Ingress Tool Transfer), and T1055.001 (Process Injection). This combination highlights a sophisticated, stealthy approach to compromise and maintain control over victim systems without leaving traditional forensic artifacts on disk.

Detailed information about Fileless AsyncRAT Distributed Via Clickfix Technique Targeting German Speaking Users. Get real-time updates, technical details, and m

Title	Severity	Type	Source	Date

Threats Tagged 'in-memory execution'

Filter Threats

Threats Tagged 'in-memory execution'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility