Researchers Unveiled a New Mechanism to Track Compartmentalized Threats

In May 2025, cybersecurity researchers from Cisco Talos and The Vertex Project announced a groundbreaking methodology to combat the rising trend of compartmentalized cyberattacks, where multiple threat actors collaborate to execute distinct stages of an intrusion. The new approach, detailed in a joint whitepaper, integrates an extended Diamond Model with a “Relationship Layer” to map interactions between adversaries, infrastructure, capabilities, and victims across fragmented kill chains. Compartmentalized attacks typically involve initial access brokers (IABs) like the financially motivated ToyMaker group, which specialize in infiltrating networks and selling access to ransomware operators or state-sponsored actors. For example, in a 2023 campaign, ToyMaker deployed the custom LAGTOY backdoor to establish persistence in a victim’s environment, exfiltrated credentials, and later transferred control to the Cactus ransomware group. For instance, in the extended Diamond Model, ToyMaker’s infrastructure is linked to Cactus’ operations via a broker relationship, enabling analysts to cluster indicators without conflating distinct adversaries. This shift from single-actor campaigns to decentralized, multi-operator models has rendered traditional threat analysis frameworks obsolete, enabling adversaries to evade detection and complicate attribution. Cactus operators then authenticate using stolen credentials, deploy lateral movement tools like SoftPerfect Network Scanner, and execute ransomware payloads. The extended Diamond Model addresses these challenges by annotating transactional relationships (e.g., “purchased from” or “handover from”) between threat actors. Cisco Talos analysts identified that 67% of ransomware incidents in 2024 involved IABs, highlighting the critical need for updated threat-modeling frameworks. The malware exfiltrates credentials using PuTTY’s private key files (ppk) stored on compromised servers, which are then relayed to ransomware affiliates like Cactus. “Compartmentalization isn’t just a tactic-it’s a business model,” noted Edmund Brumaghin, lead researcher at Cisco Talos. Cisco Talos recommends hunting for asynchronous TTPs, such as credential dumping followed by anomalous lateral movement weeks later, to identify handoffs. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Once opened, these files execute a PowerShell script (deploy.ps1) that fetches a second-stage payload from a Traffic Distribution Service (TDS) operated by a third party. Crucially, ToyMaker’s infrastructure-often bulletproof hosting services-is shared with unrelated threat actors, making IoC-based attribution unreliable. Organizations are advised to correlate IAB-linked IoCs (e.g., LAGTOY hashes) with ransomware intelligence feeds, as 89% of IAB victims face secondary exploitation within 45 days.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 15 May 2025 09:09:53 +0000