Gold Melody, also identified as TGRCRI0045, Prophet Spider, and UNC961, has been observed exploiting exposed ASP.NET machine keys to infiltrate enterprise networks. Access gained through this method is later monetized and passed on to other threat actors.
Palo Alto Networks Unit 42 reports that the group has primarily focused on organizations in finance, manufacturing, logistics, retail, and technology across the U.S. and Europe. By exploiting leaked ASP.NET machine keys, the attackers execute malicious .NET code through ViewState deserialization, enabling memory-only payload delivery that evades disk-based detection and leaves minimal forensic evidence.
Although Microsoft flagged the issue publicly in early 2025, highlighting thousands of compromised ASP.NET machine keys, related activity had quietly begun months earlier. By late 2024, unknown operators were already using static keys to inject malicious .NET code, including tools like the Godzilla framework. Unit 42 later observed consistent use of the same method by the group dubbed Gold Melody, especially between January and March 2025.
Attackers used ysoserial.net with a ViewState plugin to generate payloads capable of bypassing standard defenses. After initial access, they deployed custom C# tools like updf for privilege escalation and leveraged utilities such as TXPortMap to scan for internal targets. Evidence of execution was tied to IIS worker processes (w3wp.exe), suggesting compromise through exposed web services.
Five different in-memory modules were deployed:
- A shell execution tool (cmd /c)
- A file uploader
- A success-verification component (“Winner”)
- A downloader (not recovered)
- A reflective loader for .NET assemblies
In a few instances, systems were also seen pulling a Linux ELF binary, identified as “atm” from a remote host. This, along with internal network mapping, shows clear intent to pivot further inside compromised infrastructure.
Each command needed re-exploitation due to the stateless payload delivery.
This campaign underlines risks from cryptographic key exposure, weak ViewState validation, and legacy ASP.NET configurations. Organizations must adopt behavioral detection, harden cryptographic settings, and monitor IIS for anomalies to counter such memory-resident threats.
