Cisco Talos uncovered a sophisticated multi-stage attack targeting a critical infrastructure enterprise, orchestrated by a financially motivated initial access broker (IAB) referred to as “ToyMaker.”
This campaign demonstrates a growing trend in cybercrime, where specialized IABs gain initial footholds in high-value organizations before selling access to other threat actors, such as ransomware groups.
The attackers operated with notable technical prowess, employing a combination of dual-use remote administration, SSH, and file transfer utilities to methodically compromise a wide range of systems within the target network.
ToyMaker’s Tactics, Techniques, and Procedures
ToyMaker initiated the attack by exploiting unpatched, internet-facing servers, which enabled the deployment of a custom backdoor known as LAGTOY.
LAGTOY, also called HOLERUN by other vendors, is designed for persistent remote command execution and reverse shell creation.
Shortly after gaining access, ToyMaker conducted rapid reconnaissance of the victim’s environment, extracted critical credentials using tools such as Magnet RAM Capture, and established persistence by configuring LAGTOY as a system service.
Reconnaissance was executed via well-known Windows commands to enumerate local accounts, groups, domain trusts, and network configuration.
Subsequently, a fake user account named ‘support’ was created and added to the administrators group to assure continued privileged access.
ToyMaker then established SSH listeners on compromised endpoints using Windows OpenSSH, facilitating lateral movement and secure file transfers within the network.
Credential extraction was performed by downloading and silently running Magnet RAM Capture, obtaining memory dumps that were compressed and exfiltrated using 7zip and PuTTY’s SCP utility.
According to Cisco Talos Report, this approach enabled the theft of a vast array of enterprise credentials, ultimately expanding the attack surface.
Ransomware Escalation and Advanced Anti-Forensics
After an initial burst of activity, ToyMaker exhibited a notable lull, ceasing operations for several weeks before the access was handed over to a Cactus ransomware affiliate.
The Cactus group leveraged the previously stolen credentials to infiltrate additional endpoints, perform broad network reconnaissance (including PowerShell-based WSMAN endpoint discovery), and enumerate/file/archive sensitive enterprise data for exfiltration.
Cactus quickly established persistence through deployment of various remote administration tools such as eHorus, RMS, AnyDesk, and OpenSSH.
They used custom scripts to create scheduled tasks that periodically initiated outbound SSH sessions, enabling remote command execution even during periods when traditional access methods might be detected or disabled.
For defense evasion, Cactus utilized several advanced anti-forensic techniques.
They deleted local registry artifacts, removed or altered remote desktop history, erased persistence evidence by deleting the created ‘support’ user, and manipulated file permissions to obscure SSH private keys.
The attackers also executed boot recovery modifications, rebooted systems into Safe Mode to neutralize security products, and created malicious accounts likely for eventual ransomware deployment.
LAGTOY’s architecture is tailored for long-term stealthy operation. It communicates with hardcoded command-and-control (C2) IP addresses over port 443, albeit without using TLS, instead relying on raw sockets to avoid detection by standard HTTPS monitoring tools.
The malware incorporates custom anti-debugging checks employing unhandled exception filters.
Its time-based logic carefully regulates beaconing frequency, command execution, and watchdog routines, all designed to minimize artifacts and maximize operational security.
Data staged for exfiltration was systematically archived with 7zip and transferred off-network through both legitimate utilities (curl, WinSCP) and compromised SSH connections using attacker-controlled keys.
Metasploit-injected payloads and binaries further enabled Cactus to maintain network presence and execute code across both Windows and Linux systems.
Throughout the campaign, operational security was paramount: the adversaries removed traces of their tooling, managed privileges rigorously, and obscured their command infrastructure to forestall detection or remediation by defenders.
Indicators of Compromise (IOC)
| Category | Value/Hash/IP | Notes |
|---|---|---|
| LAGTOY Hash | fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826 | Custom ToyMaker backdoor |
| Metasploit Shellcodes | 0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867 | Used by Cactus for payload delivery |
| 0bcfea4983cfc2a55a8ac339384ecd0988a470af444ea8f3b597d5fe5f6067fb | ||
| 5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d | ||
| 691cc4a12fbada29d093e57bd02ca372bc10968b706c95370daeee43054f06e3 | ||
| 70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de | ||
| a95930ff02a0d13e4dbe603a33175dc73c0286cd53ae4a141baf99ae664f4132 | ||
| c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b | ||
| ToyMaker C2 IPs | 209.141.43.37 | Hardcoded LAGTOY C2 |
| 194.156.98.155 | ||
| 158.247.211.51 | ||
| 39.106.141.68 | ||
| 47.117.165.166 | ||
| 195.123.240.2 | ||
| 75.127.0.235 | ||
| 149.102.243.100 | ||
| Cactus C2 IPs | 206.188.196.20 | Used by Metasploit and eHorus agents |
| 51.81.42.234 | ||
| 178.175.134.52 | ||
| 162.33.177.56 | ||
| 64.52.80.252 | ||
| 162.33.178.196 | ||
| 103.199.16.92 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
