Cybersecurity researchers at Cisco Talos have published a threat profile on “ToyMaker,” an initial access broker (IAB) known for compromising high-value targets and selling access to ransomware operators, notably the Cactus group.
According to Talos, ToyMaker is behind the custom backdoor dubbed ‘LAGTOY’ (aka HOLERUN). In a 2023 incident involving a critical infrastructure enterprise, Talos observed a rapid compromise and lateral movement within just one week. After this, ToyMaker ceased activities, leaving no signs of data exfiltration or further reconnaissance, suggesting financial motivations rather than espionage.
Talos reports that after ToyMaker extracted credentials and deployed the LAGTOY backdoor, there was a noticeable pause in activity. Approximately three weeks later, the Cactus ransomware group infiltrated the target system using the stolen credentials and deploying its own toolset. The threat actor performed extensive reconnaissance, and launched a ransomware campaign using double extortion tactics.
ToyMaker typically breaches networks by exploiting unpatched, internet-facing servers. Once inside, the attacker installs OpenSSH to enable remote access, initiating an SSH listener (sshd.exe) and deploying sftp-server.exe,a component of OpenSSH that facilitates file transfers. One of the first payloads downloaded via this channel is Magnet RAM Capture, a legitimate forensic tool used to collect memory dumps and harvest credentials.
Once Cactus took control of the compromised infrastructure, the intruders launched their own campaign using a suite of remote administration tools, including eHorus Agent (Pandora RC), AnyDesk, Remote Utilities (RMS Remote Admin), OpenSSH, and Impacket.
The Cactus gang also leveraged PowerShell and Metasploit, creating new user accounts, disabling security tools by booting systems into Safe Mode, and employing modified binaries of PuTTY and ApacheBench for code execution.
The group began their attack by running WSMAN discovery scripts to identify endpoints configured for PowerShell remoting, rapidly moving laterally across the network.
