Update: Threat Group Exploits Leaked ASP.NET Machine Keys for Stealthy Web Server Attacks
A threat group tracked as TGR-CRI-0045 has been carrying out an advanced campaign since late 2024, using stolen ASP[.]NET Machine Keys to silently compromise web servers across the Financial, Manufacturing, and Transportation sectors in Europe and the U.S. These attackers are leveraging a technique called View State deserialization, where they craft malicious payloads that execute directly in server memory through HTTP POST requests. This approach bypasses typical disk-based detection, making it difficult for defenders to spot. The attackers use tools to generate these payloads and deploy them one command at a time, minimizing their footprint and making each action harder to detect. Researchers linked this group to the Gold Melody cybercrime operation and observed that they use custom tools for privilege escalation and reconnaissance; however, they have not yet engaged in lateral movement within target networks. This campaign highlights serious gaps in how organizations monitor web server activity. Because many environments do not log POST requests or monitor View State deserialization, these attacks often go undetected. By abusing weak cryptographic practices in ASP[.]NET deployments, the group maintains access and likely sells it to other cybercriminals for further exploitation. Security experts recommend that organizations immediately review their ASP.NET configuration, regenerate any exposed Machine Keys, and enable message authentication for View State data. Additional defenses should include improved request logging and endpoint monitoring for reflective .NET activity, which can help detect these memory-based exploits. The campaign highlights how basic cryptographic hygiene failures can expose vulnerabilities that enable stealthy web server compromises.
Anatsa Banking Trojan Campaign Expands to North America Through Malicious Google Play Apps
A recent Android malware campaign has been uncovered using the Anatsa banking trojan to target users in the United States and Canada. The malware was concealed in a malicious app called “Document Viewer - File Reader,” which posed as a legitimate PDF update tool on the Google Play Store. Once installed, the app employed deceptive tactics, such as fake maintenance notices, to overlay banking applications and steal user credentials. Following its typical pattern, the malware authors first launched a clean version of the app to build trust and downloads before silently introducing the malicious code several weeks later. This campaign marks the third confirmed wave of Anatsa activity in North America, continuing the trojan’s evolution from earlier operations in Europe. The malware is designed for credential theft and Device Takeover Fraud (DTO), enabling it to initiate fraudulent transactions from infected devices without user awareness. The app was published by a fake developer account and garnered approximately 90,000 downloads before it was taken down by Google. Analysis reveals that the malware dynamically updates its target list of banking institutions, expanding its reach across North American financial applications. Security researchers highlight Anatsa’s cyclical deployment strategy, where periods of no malicious activity help it evade detection and maintain success rates. Google has since removed the identified apps from the Play Store and recommends users rely on Play Protect for additional protection. Organizations in the financial sector are advised to review their fraud detection capabilities and assess whether their customers could be at risk from this or similar mobile banking threats.
TapTrap: A Dangerous New Android Exploit Abusing UI Animations
Security researchers from TU Wien and the University of Bayreuth have exposed a critical Android vulnerability named TapTrap, which exploits activity transition animations to carry out stealthy attacks. Unlike traditional tapjacking that uses visible overlays, TapTrap manipulates the system’s built-in animation framework to launch nearly invisible permission screens on top of legitimate app interfaces. This transparent activity intercepts touch inputs without raising suspicion, causing users to unknowingly approve sensitive permissions. During the attack, users believe they are interacting with the original app interface, while in reality, they are tapping hidden system prompts granting access to the camera, microphone, contacts, and location. Researchers also demonstrated that attackers could escalate the attack to wipe the device completely or steal critical notification content, including two-factor authentication codes. After scanning nearly 100,000 Play Store apps, the team found that 76% contain activities that are vulnerable to this attack, mainly because they allow third-party launches, share the same task stack, and fail to override transition animations or properly block input during animations. The vulnerability affects both Android 15 and the newer Android 16, leaving even Google’s Pixel 8a and other flagship devices exposed to this attack vector. While Chrome and Firefox have since addressed the browser-level risks by patching their animation handling, the Android operating system itself has yet to implement a system-wide fix. Google acknowledged the vulnerability but has not committed to a specific timeline for releasing a security patch. Until then, the only mitigation for app developers is to modify their activity transition settings and delay user input handling until animations finish—workarounds that only partially protect against this attack. Researchers recommend that Google implement more robust protections, including blocking touch input during low-opacity animations and restricting extreme zoom transitions. TapTrap demonstrates how overlooked aspects of user interface design can be enhanced when combined with subtle timing and visibility.
