National Cyber Warfare Foundation (NCWF)

IIS Backdoor Exploiting Exposed ASP.NET Machine Keys (Campaign)
0 user ratings		2026-01-16 10:45:39
milo
Attacks
 - archive -- 
Initial access leverages IIS apps configured with reused/public machineKey (ValidationKey/DecryptionKey) values, enabling __VIEWSTATE deserialization to run arbitrary commands. Following foothold, REF3927 deploys Godzilla-family webshells (e.g., 1.aspx) and GotoHTTP for GUI ac...

Initial access leverages IIS apps configured with reused/public machineKey (ValidationKey/DecryptionKey) values, enabling __VIEWSTATE deserialization to run arbitrary commands. Following foothold, REF3927 deploys Godzilla-family webshells (e.g., 1.aspx) and GotoHTTP for GUI ac...

Source: Wiz
Source Link: https://threats.wiz.io/all-incidents/iis-backdoor-exploiting-exposed-aspnet-machine-keys

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Attacks


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.