Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to execute malicious payloads in server memory, minimizing forensic artifacts. The attackers deployed post-exploitation tools for persistence and privilege escalation. The campaign began in October 2024, with increased activity from January to March 2025. Organizations are advised to review and remediate compromised Machine Keys following Microsoft's guidance. The threat group is possibly linked to Gold Melody based on overlapping indicators and tactics.

This threat involves an initial access broker group identified as TGR-CRI-0045 exploiting leaked Machine Keys from ASP.NET web applications to gain unauthorized access to targeted organizations. Machine Keys in ASP.NET are cryptographic keys used to protect View State data, authentication tokens, and other sensitive information. If these keys are leaked or compromised, attackers can manipulate or forge View State data, enabling deserialization attacks that execute arbitrary code in server memory. The attackers leverage ASP.NET View State deserialization vulnerabilities to run malicious payloads directly in memory, which reduces forensic footprints and complicates detection. After initial access, the threat actors deploy post-exploitation tools to maintain persistence and escalate privileges within the compromised environment. The campaign, active since October 2024 with heightened activity from January to March 2025, targets industries including finance, manufacturing, and technology sectors primarily in Europe and the United States. The group’s tactics and indicators overlap with those attributed to the Gold Melody threat actor, suggesting possible linkage. The exploitation technique focuses on abusing leaked cryptographic keys rather than exploiting software vulnerabilities directly, making traditional patching ineffective. Organizations are advised to audit and rotate Machine Keys following Microsoft's remediation guidance to invalidate compromised keys and prevent further exploitation. Indicators of compromise include multiple IP addresses and file hashes associated with the attack infrastructure and payloads. The attack chain involves initial access via crafted View State payloads, in-memory execution of malicious code, and subsequent lateral movement and privilege escalation using known techniques such as token manipulation and service persistence. The threat leverages IIS-hosted ASP.NET applications, which are prevalent in enterprise environments, making this a significant risk vector for organizations relying on this technology stack.

Detailed information about Exploitation of Leaked Machine Keys by Initial Access Broker. Get real-time updates, technical details, and mitigation strategies.

Exploitation of Leaked Machine Keys by Initial Access Broker - Live Threat Intelligence - Threat Radar | OffSeq.com

Exploitation of Leaked Machine Keys by Initial Access Broker

A spam campaign targeting Brazilian users, particularly C-level executives and financial/HR accounts, has been identified since January 2025. The campaign exploits commercial remote monitoring and management (RMM) tools, specifically PDQ Connect and N-able remote access tools. Attackers use Brazilian electronic invoice system (NF-e) as bait, leading victims to malicious content on Dropbox. The threat actor, likely an initial access broker, abuses free trial periods of RMM tools to gain complete control of target machines. The campaign's objective is to create a network of compromised machines for potential sale to third parties, including ransomware operators and state-sponsored actors. The abuse of commercial RMM tools is increasing due to their digital signatures, full backdoor capabilities, and low cost.

This threat involves a spam campaign primarily targeting Brazilian users, with a focus on high-value targets such as C-level executives and financial or HR personnel. The attackers exploit commercial Remote Monitoring and Management (RMM) tools, specifically PDQ Connect and N-able remote access tools, to gain unauthorized access to victim machines. The campaign uses the Brazilian electronic invoice system (NF-e) as a lure, directing victims to malicious content hosted on Dropbox. The attackers leverage free trial periods of these RMM tools to establish persistent, fully backdoored access to compromised systems. These RMM tools are attractive to attackers because they are digitally signed, which helps evade detection, and provide comprehensive remote control capabilities. The ultimate goal of the campaign is to build a network of compromised machines that can be sold to third parties, including ransomware operators and state-sponsored threat actors. The campaign employs multiple tactics and techniques such as initial access brokering, social engineering via spam, and abuse of legitimate software to bypass security controls. Although the campaign is currently focused on Brazil, the abuse of RMM tools is a growing trend globally due to their stealth and effectiveness in establishing long-term access.

Detailed information about Spam campaign targeting Brazil abuses Remote Monitoring and Management tools. Get real-time updates, technical details, and mitigatio

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools - Live Threat Intelligence - Threat Radar | OffSeq.com

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.

ToyMaker is an initial access broker (IAB) threat actor identified with medium confidence by Talos, primarily motivated by financial gain. This actor targets vulnerable internet-exposed systems to gain initial footholds within enterprise environments. Upon successful compromise, ToyMaker deploys a custom backdoor malware named LAGTOY. LAGTOY is a versatile tool capable of establishing reverse shells and executing arbitrary commands on infected endpoints, enabling attackers to maintain persistence and control over compromised systems. It also facilitates credential harvesting, allowing the adversary to extract sensitive authentication data from the victim enterprise, which can be leveraged for lateral movement or sold to other threat actors. 

LAGTOY’s capabilities include file transfer, command execution, and persistence mechanisms. The malware often uses legitimate administrative tools and protocols such as PowerShell, SSH, AnyDesk, and WinSCP to blend in with normal network activity, complicating detection efforts. The threat actor’s toolkit references frameworks like Metasploit and Impacket, indicating a sophisticated approach to exploitation and post-exploitation activities. Although no known exploits in the wild have been reported for this specific malware, multiple hashes associated with LAGTOY samples suggest active deployment. 

The modus operandi aligns with typical IAB behavior: gaining initial access, establishing persistence, harvesting credentials, and potentially selling access or enabling subsequent ransomware attacks. The medium severity rating reflects the potential for significant impact if the malware is deployed in critical environments but also indicates that the threat is not currently widespread or fully weaponized at scale. The use of common administrative tools and protocols requires vigilant monitoring for anomalous usage patterns to detect this threat effectively.

Detailed information about Introducing ToyMaker. Get real-time updates, technical details, and mitigation strategies.

Title	Severity	Type	Source	Date

Threats Tagged 'initial access broker'

Filter Threats

Threats Tagged 'initial access broker'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility