Cyber Security News

ToyMaker Hackers Compromise Numerous Hosts via SSH and File Transfer Tools

In a alarming cybersecurity breach uncovered by Cisco Talos in 2023, a critical infrastructure enterprise fell victim to a meticulously orchestrated attack involving multiple threat actors.

The initial access broker, identified as “ToyMaker” with medium confidence as a financially motivated entity, exploited vulnerabilities in internet-facing servers to infiltrate the network.

A Sophisticated Multi-Actor Attack on Critical Infrastructure

Using a custom backdoor named “LAGTOY,” ToyMaker executed rapid reconnaissance, credential harvesting, and backdoor deployment across numerous hosts within a week.

Their tactics included dual-use remote administration tools, SSH utilities, and file transfer mechanisms, setting the stage for a secondary actor to escalate the attack.

ToyMaker HackersToyMaker Hackers
Metasploit shellcode communicating with the remote server.

After a three-week lull, access was handed over to the Cactus ransomware gang, notorious for double extortion schemes, who leveraged stolen credentials to deepen the compromise through network proliferation, data exfiltration, and ransomware deployment.

From Initial Breach to Double Extortion Tactics

ToyMaker’s initial moves involved system information discovery with commands like “whoami” and “ipconfig,” alongside creating fake user accounts such as ‘support’ for persistence.

They deployed the LAGTOY implant, a sophisticated backdoor also known as HOLERUN by Mandiant, which communicates with a hardcoded C2 server over port 443 using raw sockets, bypassing expected TLS protocols.

LAGTOY execution logic.

LAGTOY, installed as a service named ‘WmiPrvSV,’ features anti-debugging measures and time-based execution logic, ensuring stealthy operation with sleep intervals and watchdog routines.

Credential extraction was facilitated by tools like Magnet RAM Capture, with harvested data archived using 7za.exe and exfiltrated via PuTTY’s SCP utility.

Following the handover, Cactus conducted extensive endpoint enumeration, server scans, and data archiving for extortion, utilizing tools like AnyDesk, eHorus, and OpenSSH for long-term access.

Their operations included deleting volume shadow copies, modifying boot recovery settings, and deploying ransomware through malicious accounts, while meticulously covering tracks by clearing command histories and network logs.

This attack underscores the compartmentalized yet interconnected nature of modern cyber threats, where initial access brokers like ToyMaker pave the way for ransomware affiliates like Cactus.

According to the Report, Cisco Talos emphasizes the need for distinct threat modeling for such actors, proposing new methodologies to track these relationships in future analyses.

The disparity in tactics, techniques, and procedures (TTPs) between the two groups highlights the evolving complexity of cybercriminal ecosystems, necessitating robust endpoint security and network monitoring solutions to detect and mitigate such multi-stage attacks.

Indicators of Compromise (IOCs)

CategoryDetails
LAGTOY Hashfdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826
Metasploit ShellsMultiple hashes including 0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867
ToyMaker Network IOCs209.141.43.37, 194.156.98.155, 158.247.211.51, 39.106.141.68, others
Cactus Network IOCs206.188.196.20, 51.81.42.234, 178.175.134.52, 162.33.177.56, others

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

34 minutes ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

1 hour ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

16 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

16 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

17 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

18 hours ago