Some of the other tools downloaded onto the systems include an ELF binary named atm from an external server (“195.123.240[.]233:443”) and a Golang port scanner called TXPortMap to map out the internal network and identify potential exploitation targets.

“TGR-CRI-0045 uses a simplistic approach to ViewState exploitation, loading a single, stateless assembly directly,” the researchers noted. “Each command execution requires re-exploitation and re-uploading the assembly (e.g., running the file upload assembly multiple times).”

“Exploiting ASP.NET View State deserialization vulnerabilities via exposed Machine Keys allows minimal on-disk presence and enables long-term access. The group’s opportunistic targeting and ongoing tool development highlight the need for organizations to prioritize identifying and remediating compromised Machine Keys.”