GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed

    Wednesday, July 9, 2025 In: Threat Research Print

    Date: 07/09/2025

    Severity: High

    Summary

    This report examines the tools used by threat group TGR-CRI-0045, which appears to operate opportunistically. The group has targeted organizations in Europe and the U.S. across sectors like finance, manufacturing, tech, and logistics. They used leaked keys to sign malicious payloads via ASP.NET View State deserialization, enabling in-memory execution with minimal artifacts. With medium confidence, TGR-CRI-0045 is attributed to Gold Melody (also known as UNC961 or Prophet Spider).

    Indicators of Compromise (IOC) List 

    IP Address :

    67.43.234.96

    213.252.232.237

    98.159.108.69

    190.211.254.95

    109.176.229.89

    169.150.198.91

    194.5.82.11

    138.199.21.243

    194.114.136.95

    195.123.240.233

    Hash : 

    106506ebc7156be116fe5d2a4d662917ddbbfb286007b6ee7a2b01c9536b1ee4

    87bd7e24af5f10fe1e01cfa640ce26e9160b0e0e13488d7ee655e83118d16697

    55656f7b2817087183ceedeb4d9b78d3abee02409666bffbe180d6ea87ee20fb

    18a90b3702776b23f87738b26002e013301f60d9801d83985a57664b133cadd1

    d5d0772cb90d54ac3e3093c1ea9fcd7b878663f7ddd1f96efea0725ce47d46d5

    b3c085672ac34f1b738879096af5fcd748953116e319367e6e371034366eaeca

    d4bfaf3fd3d3b670f585114b4619aaf9b10173c5b1e92d42be0611b6a9b1eff2

    c1f66cadc1941b566e2edad0d1f288c93bf060eef383c79638306638b6cefdf8

    52a72f899991506d2b1df958dd8736f7baa26592d664b771c3c3dbaef8d3114a

    d3767be11d9b211e74645bf434c9a5974b421cb96ec40d856f4b232a5ef9e56d

    f368ec59fb970cc23f955f127016594e2c72de168c776ae8a3f9c21681860e9c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address :

    dstipaddress IN ("194.5.82.11","109.176.229.89","67.43.234.96","169.150.198.91","138.199.21.243","213.252.232.237","98.159.108.69","190.211.254.95","194.114.136.95","195.123.240.233") or srcipaddress IN ("194.5.82.11","109.176.229.89","67.43.234.96","169.150.198.91","138.199.21.243","213.252.232.237","98.159.108.69","190.211.254.95","194.114.136.95","195.123.240.233")

    Hash : 

    sha256hash IN ("d4bfaf3fd3d3b670f585114b4619aaf9b10173c5b1e92d42be0611b6a9b1eff2","106506ebc7156be116fe5d2a4d662917ddbbfb286007b6ee7a2b01c9536b1ee4","87bd7e24af5f10fe1e01cfa640ce26e9160b0e0e13488d7ee655e83118d16697","55656f7b2817087183ceedeb4d9b78d3abee02409666bffbe180d6ea87ee20fb","18a90b3702776b23f87738b26002e013301f60d9801d83985a57664b133cadd1","d5d0772cb90d54ac3e3093c1ea9fcd7b878663f7ddd1f96efea0725ce47d46d5","b3c085672ac34f1b738879096af5fcd748953116e319367e6e371034366eaeca","c1f66cadc1941b566e2edad0d1f288c93bf060eef383c79638306638b6cefdf8","52a72f899991506d2b1df958dd8736f7baa26592d664b771c3c3dbaef8d3114a","d3767be11d9b211e74645bf434c9a5974b421cb96ec40d856f4b232a5ef9e56d","f368ec59fb970cc23f955f127016594e2c72de168c776ae8a3f9c21681860e9c")

    Reference:

    https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/


    Tags

    Threat ActorTGR-CRI-0045Gold MelodyUNC961Prophet SpiderEuropeUnited StatesFinancial ServicesCritical ManufacturingInformation TechnologyTransportation Systems

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.