Cybersecurity researchers have detailed the activities of an Initial Access Broker (IAB) named ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS.
See: https://redskyalliance.org/xindustry/cactus-ransomware-in-france
The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning for vulnerable systems and deploying a custom malware called LAGTOY (aka HOLERUN). "LAGTOY can be used to create reverse shells and execute commands on infected endpoints," Cisco Talos researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White said.[1]
The malware was first documented by Google-owned Mandiant in late March 2023, attributing its use to a threat actor it tracks as UNC961. Other names like Gold Melody and Prophet Spider are also known as the activity cluster. The threat actor has been observed leveraging a vast arsenal of known security flaws in internet-facing applications to obtain initial access, followed by conducting reconnaissance, credential harvesting, and LAGTOY deployment within a week. The attackers also open SSH connections to a remote host to download a forensics tool called Magnet RAM Capture to obtain a memory dump of the machine in a likely attempt to gather the victim's credentials.
LAGTOY is designed to contact a hard-coded command-and-control (C2) server to retrieve commands for subsequent execution on the endpoint. It can create processes and run commands under specified users with corresponding privileges, per Mandiant. The malware is also equipped to process three commands from the C2 server with a Sleep interval of 11000 milliseconds between them. "After a lull in activity of approximately three weeks, we observed the CACTUS ransomware group make its way into the victim enterprise using credentials stolen by ToyMaker," Talos said.
"Based on the relatively short dwell time, the lack of data theft and the subsequent handover to CACTUS, it is unlikely that ToyMaker had any espionage-motivated ambitions or goals." In the incident analyzed by Talos, the CACTUS ransomware affiliates are said to have conducted reconnaissance and persistence activities before data exfiltration and encryption. Multiple methods were also observed to set up long-term access, such as OpenSSH, AnyDesk, and eHorus Agent. "ToyMaker is a financially motivated Initial Access Broker (IAB) who acquires access to high-value organizations and then transfers that access to secondary threat actors who usually monetize the access via double extortion and ransomware deployment," the company said.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://thehackernews.com/2025/04/toymaker-uses-lagtoy-to-sell-access-to.html
Comments