Cybersecurity researchers have uncovered the actions of a financially motivated initial access broker (IAB) known as ToyMaker, who has been actively facilitating attacks by ransomware gangs such as those behind the notorious CACTUS ransomware group. According to findings from Cisco Talos, ToyMaker specializes in gaining entry into vulnerable systems, only to hand over this access to ransomware operators employing double extortion tactics.
ToyMaker utilizes a custom malware strain named LAGTOY, also referred to as HOLERUN. This tool is specifically designed to establish reverse shells and execute arbitrary commands on compromised systems, making it a powerful asset in the hands of cybercriminals. Talos researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White detailed these capabilities in a recent analysis.
The malware itself was first identified in March 2023 by Mandiant, a Google-owned security firm, which attributed its deployment to a threat actor known as UNC961—also recognized under aliases such as Gold Melody and Prophet Spider.
Exploiting Vulnerabilities to Establish Footholds
Once ToyMaker infiltrates a target, often by exploiting publicly known security flaws in internet-facing applications, the sequence of attack progresses rapidly. Within a week, the intruders typically perform reconnaissance, harvest credentials, and deploy LAGTOY to cement their presence. Notably, they also download a forensics tool named Magnet RAM Capture via SSH, aiming to extract memory dumps likely containing sensitive login credentials.
LAGTOY connects to a hard-coded command-and-control (C2) server, from which it receives instructions to be executed on the infected system. It can launch processes under specific user credentials and supports the execution of three separate commands, with a default pause of 11,000 milliseconds between them.
Handoff to CACTUS Ransomware and Monetization Phase
Cisco Talos observed that following a brief three-week pause in activity, the CACTUS ransomware group accessed an enterprise network using credentials that ToyMaker had previously stolen. This handover signifies a clear delineation of roles—ToyMaker gains access, while ransomware operators like CACTUS execute the monetization phase through encryption and extortion.
Interestingly, Talos found no signs of espionage, indicating that ToyMaker’s operations are purely driven by financial motives. The ransomware actors conducted their rounds of reconnaissance and persistence mechanisms, including deploying tools like OpenSSH, AnyDesk, and eHorus Agent to ensure long-term access to the victim environment.
Conclusion
“ToyMaker is a financially motivated initial access broker (IAB) who acquires access to high-value organizations and then transfers that access to secondary threat actors who usually monetize the access via double extortion and ransomware deployment,” Cisco Talos stated. As cybercrime continues to evolve, collaborations between actors like ToyMaker and ransomware groups such as CACTUS ransomware highlight the growing relationship of underground networks and the urgent need for proactive defense strategies in enterprise environments.
