ToyMaker: The Broker Behind Initial Access and Ransomware Collaborations

FPT Metrodata IndonesiaFPT Metrodata Indonesia
4 min read

Summary

CRIL came across a blog published by Cisco Talos detailing a significant cyberattack on a critical infrastructure organization involving multiple threat actors. The attack began with an initial access broker (IAB) known as "ToyMaker," assessed as financially motivated. ToyMaker exploited vulnerable internet-facing systems to gain access and deployed a custom backdoor called "LAGTOY." This tool enabled them to extract credentials, create reverse shells, and execute commands on compromised systems.

After establishing initial access, ToyMaker handed over control to a second threat actor group called "Cactus," known for double extortion ransomware attacks. Cactus used their own set of tools and techniques to move laterally, steal data, and eventually deploy ransomware across the victim's network. The attackers used a mix of dual-use remote administration tools, SSH, and file transfer utilities to quietly expand their presence. This incident underscores the growing trend of collaboration between threat actors to execute complex, multi-stage intrusions.

Technical Analysis

The attack began when the threat actor known as ToyMaker exploited known vulnerabilities in an unpatched, internet-facing system to gain initial access. ToyMaker is assessed to be a financially motivated Initial Access Broker (IAB) — a group that compromises networks and sells or transfers access to other cybercriminals.

Once inside, ToyMaker acted swiftly. Within a week, they:

  • Conducted reconnaissance using commands like whoami, net user, and ipconfig /all.

  • Created a fake admin user account called "support".

  • Enabled SSH access on the system using OpenSSH’s sshd.exe.

  • Deployed a memory dumping tool called Magnet RAM Capture to extract credentials.

  • Compressed the memory dump using 7za.exe and exfiltrated it via PuTTY’s SCP utility (pscp.exe).

Deployment of LAGTOY Backdoor

ToyMaker then deployed a custom backdoor named LAGTOY, which was installed as a Windows service under the name "WmiPrvSV". LAGTOY allows remote command execution and persistence and operates on a beaconing model, where it regularly checks in with a hardcoded Command and Control (C2) server to receive instructions. Key features of LAGTOY include:

  • Anti-debugging checks using SetUnhandledExceptionFilter to detect analysis.

  • Time-based logic to control execution and sleeping intervals.

  • Support for commands like:

o #pt – Stop service o #pd – Pause execution and re-check if stopped

o #ps – Execute a specific process

o Any command without # is executed as-is

Once LAGTOY was in place, ToyMaker ceased operations, handing over access to a second threat actor.

Ransomware and Lateral Movement

About three weeks after ToyMaker’s access, the Cactus ransomware gang took over using the stolen credentials. Cactus focused on data theft and extortion, scanning the network with PowerShell tools and setting up reverse shells through scheduled tasks. They rebooted systems into Safe Mode to disable security tools and used remote access software like AnyDesk, eHorus, RMS Remote Admin, and OpenSSH for persistence. Data was compressed with 7zip and exfiltrated using WinSCP and curl. They also used modified PuTTY and ApacheBench tools injected with Metasploit to run commands and transfer files from a known attacker-controlled server.

Credential Theft and Data Exfiltration

Cactus used the previously dumped credentials to access multiple systems and search for sensitive files. These were archived using 7zip with filters to avoid unnecessary files (e.g., media, executables), and exfiltrated via secure file transfer tools. In several cases, it’s believed that customer data was specifically targeted and extracted. Commands:

7z.exe a -t7z -mx0 -v4g -p WinSCP or curl used to transfer .7z files to attacker servers

Persistence and Defense Evasion

To maintain long-term access, Cactus employed several stealthy techniques:

  • Created unauthorized user accounts for future login.

  • Used scheduled tasks for automated C2 communication.

  • Removed SSH private keys post-exfiltration to avoid detection.

  • Abused Safe Mode to modify the registry or disable AV solutions. bcdedit /set {default} safeboot minimal shutdown -r -f -t 0

  • Used ELF binaries (for Linux targets) and Metasploit shellcode to maintain cross-platform access.

Recommendations

  • Ensure all systems, especially internet-facing servers, are regularly updated with security patches to close vulnerabilities that could be exploited by initial access brokers like ToyMaker. This reduces the risk of unauthorized access through known weaknesses.

  • Implement multi-factor authentication (MFA) and regularly audit and rotate credentials. This makes it harder for attackers to leverage stolen credentials for lateral movement and access to critical systems.

  • Use network segmentation to isolate critical systems and implement continuous monitoring for suspicious activity. This limits the spread of attacks and enables quicker detection of malicious activity, reducing the impact of ransomware and data exfiltration.

Conclusion

This campaign showcases a modular, compartmentalized attack strategy, where ToyMaker focused solely on gaining access, while Cactus specialized in ransomware deployment and data theft. Their separate TTPs and timelines highlight the evolving “as-a-service” cybercrime model, where initial access brokers work in tandem with extortion groups.

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ToymakerInitial Access ransomwareBroker

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia