TOLLBOOTH (REF3927): Leaked ASP.NET machine keys to IIS code exec, SEO cloaking, and persistence
Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in‑process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off‑the‑shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)
Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)