ToyMaker, a financially driven cybercriminal group, is selling access to corporate networks to ransomware gangs like CACTUS. The group acts as an initial access broker (IAB), targeting vulnerable systems using custom malware called LAGTOY.
LAGTOY, also known as HOLERUN, creates reverse shells and executes remote commands on infected computers. Therefore, it gives attackers control without needing physical access. According to a report, the malware connects to a command-and-control (C2) server and processes commands with short sleep intervals to avoid detection.
The malware was originally documented in 2023 and linked to a group tracked under names like UNC961, Gold Melody, and Prophet Spider. These threat actors scan the internet for security flaws. Once inside a system, they harvest credentials and deploy malware within days.
In one observed case, attackers used SSH to install a forensics tool called Magnet RAM Capture. This helped them extract memory data, likely for stealing credentials. LAGTOY then allowed them to execute further commands and maintain access.
From Access to Ransomware in a Week
After initial access, ToyMaker quickly handed credentials to CACTUS ransomware affiliates. Within weeks, the ransomware group began its own phase of the attack. They explored the network, escalated privileges, and set up persistent access tools like AnyDesk and eHorus Agent.
Interestingly, there was no sign of espionage. Therefore, researchers believe ToyMaker’s goal is purely financial. They gain access and sell it to others who then deploy ransomware and demand payment.
Reports note that ToyMaker shows no intent to steal data themselves. Instead, they provide access to other actors who complete the double extortion process—stealing and encrypting data to demand ransom.
How to Prevent ToyMaker Attacks
To defend against ToyMaker and LAGTOY, organizations must focus on prevention and detection. First, patch known vulnerabilities in internet-facing applications. These flaws are a common entry point for the group.
Second, monitor for unusual SSH activity or memory dump tools, which often indicate early attack stages. Endpoint detection and response (EDR) tools can also help. For example, they can flag suspicious command execution patterns.
Finally, limit access to administrative tools and enable multi-factor authentication. These simple steps reduce the chance of credential theft and privilege escalation.
Staying alert and following cybersecurity best practices can make it harder for groups like ToyMaker to succeed.
Sleep well, we got you covered.
