Cybersecurity researchers have detailed the activities of an Initial Access Broker (IAB) named ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS.
See: https://redskyalliance.org/xindustry/cactus-ransomware-in-france
The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning for vulnerable systems and deploying a custom malware called LAGTOY (aka HOLERUN). "LAGTOY can be used to create reverse shells an
