Exploitation of Leaked Machine Keys by Initial Access Broker
July 13, 2025, 10:33 a.m.
Description
An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to execute malicious payloads in server memory, minimizing forensic artifacts. The attackers deployed post-exploitation tools for persistence and privilege escalation. The campaign began in October 2024, with increased activity from January to March 2025. Organizations are advised to review and remediate compromised Machine Keys following Microsoft's guidance. The threat group is possibly linked to Gold Melody based on overlapping indicators and tactics.
Tags
Date
- Created: July 9, 2025, 1:25 p.m.
- Published: July 9, 2025, 1:25 p.m.
- Modified: July 13, 2025, 10:33 a.m.
Indicators
- f368ec59fb970cc23f955f127016594e2c72de168c776ae8a3f9c21681860e9c
- d5d0772cb90d54ac3e3093c1ea9fcd7b878663f7ddd1f96efea0725ce47d46d5
- d4bfaf3fd3d3b670f585114b4619aaf9b10173c5b1e92d42be0611b6a9b1eff2
- d3767be11d9b211e74645bf434c9a5974b421cb96ec40d856f4b232a5ef9e56d
- c1f66cadc1941b566e2edad0d1f288c93bf060eef383c79638306638b6cefdf8
- b3c085672ac34f1b738879096af5fcd748953116e319367e6e371034366eaeca
- 87bd7e24af5f10fe1e01cfa640ce26e9160b0e0e13488d7ee655e83118d16697
- 55656f7b2817087183ceedeb4d9b78d3abee02409666bffbe180d6ea87ee20fb
- 52a72f899991506d2b1df958dd8736f7baa26592d664b771c3c3dbaef8d3114a
- 18a90b3702776b23f87738b26002e013301f60d9801d83985a57664b133cadd1
- 106506ebc7156be116fe5d2a4d662917ddbbfb286007b6ee7a2b01c9536b1ee4
- 98.159.108.69
- 67.43.234.96
- 213.252.232.237
- 195.123.240.233
- 194.114.136.95
- 109.176.229.89
- 169.150.198.91
- 190.211.254.95
- 194.5.82.11
- http://195.123.240.233:443/atm
Additional Informations
- Retail
- Technology
- Transportation
- Finance
- Manufacturing
- United States of America