Microsoft Exposes ViewState Vulnerability — Cybercriminals Rewrite Login Rules
ASP.NET has become a backdoor for shadowy groups.
ASP.NET has become a backdoor for shadowy groups.
Palo Alto Networks Unit 42 experts have uncovered a new malicious campaign by the Gold Melody group. This group specializes in gaining unauthorized access to corporate systems and subsequently reselling that access to other cybercriminals. The group is also known as Prophet Spider and UNC961, and one of the tools they use has also been linked to the broker ToyMaker.
The key feature of their method is the exploitation of ASP.NET machine key leaks—cryptographic keys used to ensure data integrity and security in .NET applications. Microsoft reported a surge of over 3,000 such leaks back in February 2025. Attackers used these keys to inject malicious code into ViewState—a mechanism that preserves the state of an ASP.NET page between requests. By forging signatures and exploiting ViewState deserialization, they were able to execute malicious assemblies directly in the server's memory, leaving no traces on disk and bypassing defenses based on file or process analysis.
The campaign's first activity was detected in October 2024, with a spike in infections occurring between late January and March 2025. The targets included companies in the U.S. and Europe, primarily in finance, logistics, high-tech, manufacturing, and wholesale/retail sectors. Victim selection appeared random, suggesting an opportunistic approach by the group.
Unlike traditional access methods such as web shells or server files, the technique used by TGR-CRI-0045 relied on executing malicious components solely in memory. This approach reduces detection likelihood and makes defense challenging. Organizations relying solely on signature-based antivirus solutions or file integrity monitoring were particularly vulnerable.
Analysis revealed five types of modules loaded into memory via compromised IIS servers:
- **Cmd /c** – executing commands via Windows shell.
- **File upload** – uploading arbitrary files to the server.
- **Winner** – possibly used to verify successful exploitation.
- **File download** – retrieving data from the server (module not extracted).
- **Reflective loader** – likely used to run .NET assemblies without disk persistence.
Notably, the attackers used the popular **ysoserial.net** tool with a ViewState module designed to generate malicious .NET payloads bypassing ASP.NET’s default protections. To maintain access, they deployed port scanners, C# programs with privilege escalation functions, ELF binaries, and network utilities downloaded from an external server.
Unit 42 emphasizes that each new malicious command execution requires reloading the component into server memory, indicating deliberate avoidance of persistent mechanisms and evasion of standard security tools. This allows attackers to operate undetected for extended periods, leaving minimal forensic traces.
The campaign also exposed critical security flaws in older ASP.NET architectures: weak keys, lack of integrity checks, and insecure configurations created new attack vectors. Experts recommend organizations reassess their threat models to include risks related to cryptographic integrity breaches and IIS middleware vulnerabilities.
