An advanced cyber operation has recently been identified, led by a group of Initial Access Brokers (IABs) that exploit leaked machine keys in applications developed with ASP.NET.
In this situation, the detected set is Prophet Spider, a group that puts vulnerable web servers at risk to allow access to third parties, which then deploy malware or ransomware. Its goals span European and American entities in areas such as finance, manufacturing, trade and transportation.
The collective employs a method called ASP.NET view state deserialization, through which it executes malicious code directly into the server's memory. This prevents conventional forensic fingerprints and makes it easier for each malicious command to be processed individually.
Once executed, these payloads are handled within the framework of the IIS (Internet Information Services) server, allowing intruders to execute commands, move files, and maintain access constantly. In addition, the repeated use of the C:\Windows\Temp\111t directory and the updf binary was noted, which uses the GodPotato attack to escalate privileges and gain SYSTEM-level access.
"The main objective continues to be to establish and maintain initial accesses, which can later be marketed with other criminal actors within the cybercrime ecosystem," explains Víctor Ruiz, founder of SILIKN and author of the analysis.
The research notes that one of the biggest detection challenges lies in the fact that the POST requests used in these attacks are rarely logged by traditional systems. In addition, the use of techniques such as reflexive loading of .NET assemblies allows Prophet Spider to evade standard controls on endpoints.
In Mexico, SILIKN's research unit identified that nearly 400 government agencies have similar vulnerable configurations, including the Federal Electricity Commission (CFE) and the National Water Commission (Conagua).
"The CFE has historically been a frequent target of cyberattacks," the report states. In 2015, approximately 70% of the attacks directed at the federal government focused on CFE and Pemex. In 2019, more than 4,200 events were recorded in a five-month period. During 2020, the Superior Audit of the Federation warned about the absence of updates and penetration tests. In response, the CFE allocated more than 400 million pesos in 2025 to update its systems and strengthen surveillance, especially after global events such as blackouts attributed to groups such as Guacamaya.
For its part, Conagua was affected in April 2023 by the BlackByte ransomware, which paralyzed its systems, including the National Water Information System and the servers of the National Meteorological Service.
Experts recommend that organizations review their ASP.NET implementations to detect exposed machine keys and verify that view state MAC is enabled. They also suggest conditionally logging POST requests, monitoring for Windows Event 1316, and using advanced endpoint detection solutions to identify .NET reflective load.
"Advanced monitoring and permanent updating of technological infrastructures are essential to contain this new wave of threats," concludes Ruiz.
