Gold Melody Unleashed: New Stealthy Attacks Exploit Leaked ASP.NET Keys
Experts at Palo Alto Networks Unit 42 have uncovered a new malicious campaign orchestrated by the threat actor group known as Gold Melody. This group specializes in gaining unauthorized access to corporate systems and subsequently selling that access to other cybercriminals. Also identified by the aliases Prophet Spider and UNC961, the group has been linked to tools previously observed in use by the access broker ToyMaker.
What sets their approach apart is the exploitation of leaked ASP.NET machine keys—cryptographic keys used to ensure the integrity and security of data in .NET applications. Microsoft had already detected the widespread appearance of over 3,000 such leaks as early as February 2025. The attackers leveraged these keys to inject malicious code into ViewState, a mechanism that preserves the state of ASP.NET pages between requests. By forging signatures and deserializing manipulated ViewState data, they were able to execute malicious assemblies directly in server memory—leaving no traces on disk and evading defenses based on file or process analysis.
The first signs of this campaign emerged in October 2024, with a surge in infections recorded between late January and March 2025. The targets included companies across the United States and Europe, particularly within the financial, logistics, high-tech, manufacturing, and wholesale/retail sectors. The seemingly random selection of victims suggests that Gold Melody follows an opportunistic strategy.
Unlike conventional intrusion methods such as web shells or planted files, the technique labeled TGR-CRI-0045 relied solely on loading malicious components into memory. This tactic significantly reduces the likelihood of detection and presents a formidable challenge for defense. Organizations relying exclusively on signature-based antivirus solutions or file integrity checks proved especially vulnerable.
Analysis revealed five distinct modules being loaded into memory via compromised IIS servers:
- Cmd /c — execution of shell commands via Windows command line
- File upload — uploading arbitrary files to the server
- Winner — likely a module to verify successful compromise
- File download — exfiltration of server data (this module was not recovered)
- Reflective loader — believed to be used for launching .NET assemblies without disk writes
Particular attention was drawn to the use of the widely known tool ysoserial.net with its ViewState module, which generates malicious .NET payloads capable of bypassing standard ASP.NET protections. To solidify their presence, the attackers employed port scanners, privilege escalation tools written in C#, ELF binaries, and various network utilities, all retrieved from external servers.
Unit 42 emphasizes that each command execution required reloading the component into server memory, indicating a deliberate avoidance of persistent mechanisms and a strategy aimed at evading conventional defenses. This approach enables prolonged, stealthy operations with minimal forensic artifacts.
The campaign also exposed fundamental flaws in the security architecture of legacy ASP.NET versions: weak cryptographic keys, lack of integrity verification, and misconfigured settings provided fertile ground for exploitation. Security experts urge organizations to reassess their internal threat models, specifically incorporating risks related to cryptographic integrity violations and middleware vulnerabilities in IIS.
