Cybersecurity researchers have uncovered the activities of an initial access broker (IAB) known as ToyMaker, who has been facilitating ransomware attacks by providing access to double extortion gangs, including the notorious CACTUS ransomware group.
ToyMaker, identified as a financially-motivated threat actor, is known for scanning vulnerable systems and deploying a custom malware called LAGTOY (also referred to as HOLERUN). The malware enables the broker to establish reverse shells and execute commands on compromised systems.
According to researchers from Cisco Talos—Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White—LAGTOY communicates with a hard-coded command-and-control (C2) server to retrieve and execute instructions on infected endpoints. This allows attackers to gain significant control over the system and deploy further malicious activities, such as credential harvesting and the execution of commands under specific user privileges.
LAGTOY Malware: Key Features and Activity
LAGTOY was first identified by Google-owned Mandiant in March 2023, linked to a threat actor tracked as UNC961, also known by other aliases such as Gold Melody and Prophet Spider. ToyMaker's operations have primarily involved leveraging a wide range of known security vulnerabilities in internet-facing applications to gain initial access. From there, attackers perform reconnaissance and deploy LAGTOY within a week, often followed by attempts to harvest credentials.
In one documented case, the attackers used Magnet RAM Capture, a forensics tool, to obtain memory dumps from compromised machines, likely in an effort to capture login credentials. This tool was downloaded via SSH connections to a remote host.
ToyMaker's Role in the Double Extortion Scheme
The LAGTOY malware facilitates the execution of commands and the creation of processes on infected systems, all while maintaining stealth through a sleep interval of 11,000 milliseconds between commands. After an apparent lull in activity lasting about three weeks, researchers observed that the CACTUS ransomware group entered the victim's network using the credentials stolen by ToyMaker.
According to Cisco Talos, this handover to CACTUS indicates that ToyMaker's goals are not espionage-related but instead focused on financially motivated attacks. The ransomware group conducted its own reconnaissance and persistence activities before proceeding with data exfiltration and encryption.
Ransomware as a Service: The Double Extortion Model
ToyMaker operates as a financially-driven initial access broker, gaining access to high-value organizations and then selling that access to secondary threat actors. These secondary actors typically monetize the access by deploying double extortion ransomware, including the notorious CACTUS ransomware. This model has been growing in popularity, with cybercriminals focusing on financial gains through ransom demands and data leaks.
Conclusion
The collaboration between ToyMaker and ransomware groups like CACTUS demonstrates the evolving tactics used by financially motivated cybercriminals. By exploiting vulnerabilities and leveraging custom malware like LAGTOY, these actors are able to infiltrate networks quickly and sell access to more destructive actors, escalating the damage in cyberattacks. The rise of such brokered attacks highlights the importance of securing systems against known vulnerabilities and adopting proactive cybersecurity measures.