TOLLBOOTH (REF3927): Leaked ASP.NET machine keys to IIS code exec, SEO cloaking, and persistence

Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in‑process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off‑the‑shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)

Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)

Key point for DFIR: when an attacker knows (or your app reuses) a machineKey ValidationKey/DecryptionKey pair, ViewState deserialization can yield RCE inside w3wp.exe without a file drop or child process, and rotating keys after compromise may be insufficient if persistence has already been established. Microsoft guidance. (microsoft.com)

Intrusion chain at a glance

• Initial access: adversary finds IIS sites that reuse publicly posted ASP.NET machine keys, then crafts signed ViewState to achieve code execution in the application pool worker process. Elastic, Microsoft. (elastic.co)
• Post‑exploitation: deploy/fork of the Godzilla “memshell” framework (Z‑Godzilla_ekp) for in‑memory tasking; attempts at account creation and credential access; fallback to the GotoHTTP RMM client for hands‑on persistence; install of TOLLBOOTH IIS module; attempted load of a rootkit derived from the open‑source “Hidden” project. Elastic. (elastic.co)
• Objective: SEO cloaking and traffic hijacking via TOLLBOOTH, plus a backdoor webshell route if needed. Elastic. (elastic.co)

Related prior reporting confirms the ViewState + Godzilla tradecraft and the broad risk from widely leaked keys. AhnLab ASEC, Microsoft. (asec.ahnlab.com)

What TOLLBOOTH does (forensically relevant)

Elastic observed both native and managed variants:

• Configuration fetched per‑victim over HTTPS from a staging domain pattern such as c.cseo99[.]com/config/.json; local cache paths differ by variant. Elastic. (elastic.co)
• Native module cache: GZip blobs under C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C\. Managed module cache: AES‑encrypted (key/IV embedded), then GZip, under C:\Windows\Temp\AcpLogs\. Elastic. (elastic.co)
• Built‑in webshell endpoint: /mywebdll (auth required) posting to /scjg with a hardcoded password; plus operator “management” endpoints gated by spoofed crawler user‑agents (e.g., Googlebot variants) for health/config views. Elastic. (elastic.co)
• Observed binaries and indicators include module DLL names like CustomIISModule.dll, scripts.dll, caches.dll, plus operator infra domains for SEO and config fetch. Elastic observables. (elastic.co)

The cluster also used a Windows kernel rootkit compiled from the public “Hidden” project, with user‑mode controller strings in Chinese and DKOM‑style process hiding, registry and filesystem filtering, plus IOCTLs to add/remove hidden objects and protected images. Elastic rootkit analysis. (elastic.co)

Artefact and log triage checklist

Prioritize volatile collection from the IIS host and then pivot to configs and temp paths:

1. IIS request telemetry

• Look for large POSTs with __VIEWSTATE to any .aspx, often clustered around HTTP 500 responses when exploit test payloads run. Elastic, ACSC detection advice. (elastic.co)
• Alert on unusually large ViewState (kilobytes) and repeated POSTs to non‑form endpoints. ACSC. (cyber.gov.au)

Example Kibana KQL (HTTP logs indexed):

network.direction: "ingress" and
http.request.method: "POST" and
http.request.body.content: "__VIEWSTATE=" and
http.response.status_code: 500 and
http.request.body.bytes >= 2000 and
http.response.headers.server: "Microsoft-IIS*"

Elastic publishes a similar analytic for ViewState RCE attempts in IIS/SharePoint environments. Elastic detection rule. (elastic.co)

2. Windows application events

• Inspect ASP.NET application log entries for ViewState exceptions around the time of suspicious POSTs. Event ID 1316 (“Viewstate verification failed”) and message code 4009 are common during failed attempts; successful signed payloads may not error. ACSC, Google Cloud TI example. (cyber.gov.au)
• Watch for EDR alerts like “IIS worker process loaded suspicious .NET assembly” during exploitation. Microsoft. (microsoft.com)

3. IIS configuration and module inventory

• applicationHost.config lives at %WinDir%\System32\inetsrv\config\applicationHost.config; review <globalModules> and <modules> for unexpected additions or non‑standard DLL paths. Microsoft Learn, globalModules, modules. (learn.microsoft.com)
• Hunt for TOLLBOOTH artefacts and caches:
  • C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C\ (native)
  • C:\Windows\Temp\AcpLogs\ (managed)
  • DLL names seen in the wild: CustomIISModule.dll, scripts.dll, caches.dll
  • Config fetch to c.cseo99[.]com and related SEO infra domains. Elastic. (elastic.co)

4. Webshells and post‑exploitation

• Godzilla/Z‑Godzilla_ekp often communicates via AES/Base64 in POST params and can operate filelessly as a “memshell.” Expect .aspx stagers such as error.aspx or 1.aspx. Elastic, AhnLab. (elastic.co)
• TOLLBOOTH exposes a gated webshell at /mywebdll with a fixed credential and a form posting to /scjg. Treat any hits to those endpoints as high‑fidelity. Elastic. (elastic.co)

5. RMM tooling

• GotoHTTP is commonly abused for persistence; examine gotohttp.ini for the Computer ID/Access Code and look for GotoHTTP.exe execution. GotoHTTP site, AhnLab EDR detections, ASEC case study. (gotohttp.com)

Practical detection ideas (ready to paste)

1. Hunt ViewState exploitation in HTTP telemetry (Elastic/KQL)

http.request.method: "POST" and
http.request.body.content: "__VIEWSTATE=" and
http.request.body.bytes >= 2000 and
url.path: *.aspx and
network.direction: ingress and
http.response.status_code in (500,200,302)

Reference: Elastic’s example and ACSC heuristics on large ViewState and 500 clusters. Elastic, ACSC. (elastic.co)

2. Find suspicious IIS module registrations (PowerShell)

# Server-level modules
[xml]$appHost = Get-Content "$env:windir\System32\inetsrv\config\applicationHost.config"
$mods = $appHost.configuration.'system.webServer'.globalModules.add | 
  Select-Object name, image
$mods | Where-Object { $_.image -and $_.image -notlike "$env:windir*inetsrv*" }

# App-level managed modules in site web.configs
Get-ChildItem -Recurse -Filter web.config C:\inetpub\wwwroot | ForEach-Object {
  try {
    [xml]$w = Get-Content $_.FullName
    $w.configuration.'system.webServer'.modules.add | 
      Select-Object @{n='SiteConfig';e={$_.BaseURI}}, name, type
  } catch {}
}

Reference: Microsoft Learn on applicationHost.config and modules. Docs, globalModules. (learn.microsoft.com)

3. Sweep for TOLLBOOTH caches and known files (PowerShell)

$paths = @(
  "C:\\Windows\\Temp\\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C",
  "C:\\Windows\\Temp\\AcpLogs"
)
$names = @("CustomIISModule.dll","scripts.dll","caches.dll")
Get-ChildItem $paths -Recurse -Force -ErrorAction SilentlyContinue |
  Where-Object { $names -contains $_.Name -or $_.FullName -match "AcpLogs|_FAB234" } |
  Select-Object FullName,Length,CreationTime,LastWriteTime

Reference: Elastic’s artefact paths and filenames. Elastic. (elastic.co)

4. YARA and content matches

• Elastic published YARA for Tollbooth, Hidden driver/CLI. Deploy in your scanning pipeline and triage hits. YARA set via Elastic links. Elastic. (elastic.co)

5. RMM controls

• Monitor/allowlist legitimate RMM products; block the rest egress‑wise. This is consistent with CISA/NSA guidance on malicious RMM use and Proofpoint’s observations of RMM abuse. CISA AA23‑025A, Proofpoint. (cisa.gov)

Response guidance (prioritize integrity over uptime)

1. Assume key compromise; rotate correctly and re‑establish trust

• If any ViewState exploitation is suspected, treat ValidationKey/DecryptionKey as burned. Rotate keys consistently across all farm members and remove hardcoded where possible, preferring auto‑generation. But do not rely on rotation alone if post‑exploitation is evident. Microsoft. (microsoft.com)

2. Evict persistence

• Remove rogue IIS modules at both server () and app () levels; confirm DLL paths are gone and application pools recycled. Validate applicationHost.config integrity from a known‑good baseline. Microsoft Learn. (learn.microsoft.com)
• If Hidden‑derived driver is present or suspected, favor offline triage and re‑provision from gold images. Rootkits that hook process/file/registry views can blind live responders. Elastic. (elastic.co)

3. Contain C2 and tooling

• Block or sink traffic to operator infra reported for TOLLBOOTH (e.g., c.cseo99[.]com and related SEO domains) and remove GotoHTTP binaries/configs; rotate any credentials used on the host. Elastic, GotoHTTP. (elastic.co)

4. Hardening moving forward

• Eliminate reuse of public machine keys; audit code and repos for committed keys; encrypt sensitive config sections. Consider upgrading to ASP.NET 4.8 for AMSI integrations, and enforce server ASR rules (e.g., block webshell creation). Microsoft recommendations. (microsoft.com)

MITRE ATT&CK mapping (primary)

• T1190 Exploit Public‑Facing Application: signed ViewState → in‑process RCE. ATT&CK. (attack.mitre.org)
• T1505.004 Server Software Component: IIS Components: malicious module for backdoor/SEO cloaking. ATT&CK. (attack.mitre.org)
• Additional tactics/techniques observed by Elastic include OS Credential Dumping, Rootkit, Hide Artifacts, Valid Accounts. Elastic. (elastic.co)

Sample IOCs (pivot seed, not exhaustive)

Domains
- c.cseo99[.]com
- f.fseo99[.]com
- api.aseo99[.]com

Files (SHA-256 examples)
- CustomIISModule.dll / scripts.dll / caches.dll (multiple hashes reported)
- Winkbj.sys (rootkit driver)
- WingtbCLI.exe (rootkit controller)
- GotoHTTP.exe

Paths
- C:\Windows\Temp\_FAB234CD3-09434-8898D-BFFC-4E23123DF2C\
- C:\Windows\Temp\AcpLogs\

Source: Elastic’s observables section; validate against the latest list before blocking. Elastic. (elastic.co)

Analyst notes on Godzilla/Z‑Godzilla_ekp

This family supports encrypted in‑memory tasking against .aspx stagers and ships with plugins for discovery, privilege escalation, and credential theft; AhnLab previously documented Godzilla distributed via ViewState abuse in ASP.NET environments. Elastic, AhnLab. (elastic.co)

Takeaways

• Inventory IIS modules now; diff against a gold baseline and rip out anything unknown. Monitor for new <globalModules>/<modules> entries. Microsoft Learn. (learn.microsoft.com)
• Hunt for large __VIEWSTATE POSTs and 500 clusters; correlate with ASP.NET ViewState exception events. ACSC. (cyber.gov.au)
• Sweep temp paths (_FAB... / AcpLogs) and known filenames; deploy Elastic’s YARA set for Tollbooth/Hidden. Elastic. (elastic.co)
• Don’t reuse public machine keys; rotate correctly and reimage if persistence is suspected. Microsoft. (microsoft.com)
• Allowlist approved RMMs and block the rest; investigate any GotoHTTP presence. CISA, GotoHTTP. (cisa.gov)