Cybersecurity researchers have revealed the activities of an initial access broker (IAB) known as ToyMaker, who has been observed facilitating access for double extortion ransomware groups like CACTUS.
ToyMaker is believed to be a financially-motivated threat actor, actively scanning for vulnerable systems and deploying a custom malware known as LAGTOY (also referred to as HOLERUN).
“LAGTOY enables attackers to establish reverse shells and execute commands on infected systems,” stated Cisco Talos researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White.
LAGTOY Malware and Its Capabilities
LAGTOY, first documented by Mandiant in March 2023, is used by the threat actor group UNC961—also tracked as Gold Melody and Prophet Spider. The malware is designed to connect to a hard-coded command-and-control (C2) server, allowing attackers to send and execute commands remotely on compromised systems.
The IAB exploits known vulnerabilities in internet-facing applications to gain initial access. After compromising a system, ToyMaker conducts reconnaissance, harvests credentials, and deploys LAGTOY, typically completing these activities within a week. Additionally, the attackers use SSH connections to a remote host to download Magnet RAM Capture, a forensics tool for capturing memory dumps, likely to gather additional victim credentials.
The malware allows attackers to execute processes and commands under specific user privileges, and it can process up to three commands from the C2 server with a sleep interval of 11,000 milliseconds between them.
Connection to CACTUS Ransomware
After a period of inactivity, researchers observed that the CACTUS ransomware group exploited credentials stolen by ToyMaker to infiltrate a victim’s network. The ransomware affiliates conducted their own reconnaissance and persistence activities before exfiltrating and encrypting data. Notably, multiple tools, including OpenSSH, AnyDesk, and eHorus Agent, were used to ensure long-term access.
Despite the threat actor’s quick turnover of access, ToyMaker’s role appears financially motivated rather than espionage-driven. The broker does not seem to engage in data theft but instead hands over access to ransomware groups that monetize the breach through double extortion tactics.
ToyMaker operates as a financially-driven IAB, targeting high-value organizations, acquiring access, and then selling it to secondary threat actors, who deploy ransomware or use double extortion techniques to maximize profit.
