The threat actor’s primary objective appears to be financially motivated, with ToyMaker establishing initial access and then transferring control to secondary actors, specifically the Cactus ransomware group. After establishing access, ToyMaker typically remains dormant for approximately three weeks before Cactus operators take over the access, deploying their own toolset for lateral movement, data exfiltration, and ultimately ransomware deployment – showcasing the increasingly compartmentalized nature of modern cybercriminal operations. This initial access broker, dubbed “ToyMaker,” systematically exploited vulnerable internet-facing systems before deploying custom backdoors to extract credentials from victim organizations. LAGTOY’s command structure reveals three primary control codes: ‘#pt’ to stop the service, ‘#pd’ to break execution chains, and ‘#ps’ to create processes or execute commands. Cisco Talos researchers identified ToyMaker’s signature backdoor, called “LAGTOY,” which provides remote access capabilities to infected systems. This relationship between ToyMaker and Cactus represents a concerning trend in the cybercriminal ecosystem, where specialized groups focus on specific aspects of an attack chain rather than executing end-to-end operations themselves. The backdoor enables threat actors to establish reverse shells and execute arbitrary commands on compromised endpoints. Following credential extraction, ToyMaker typically hands over access to the Cactus gang, who subsequently deploy ransomware and engage in double extortion tactics. Investigation revealed that ToyMaker uses Windows OpenSSH packages to establish listeners on compromised endpoints before deploying their credential harvesting tools. The infection chain begins with ToyMaker exploiting vulnerable internet-facing servers, followed by rapid reconnaissance commands to gather system information. The backdoor is designed to periodically connect to hardcoded command and control (C2) servers, receiving and executing commands on infected systems. Their methodology involved a carefully orchestrated approach using SSH file transfer utilities and remote administration tools to maintain persistent access to compromised networks. LAGTOY, also known as “HOLERUN” by Mandiant, represents the primary persistent threat tool in ToyMaker’s arsenal. The malware implements a unique time-based execution logic that allows it to determine when to execute commands versus when to sleep. The overall timing and C2 communications logic implemented by LAGTOY shows the malware’s ability to process three commands from the C2 with a sleep interval of 11,000 milliseconds between them. The malware operates as a Windows service named “WmiPrvSV” and implements rudimentary anti-debugging techniques to evade analysis. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Apr 2025 15:55:10 +0000