Cyber Security News

ToyMaker Hackers Compromise Numerous Hosts via SSH and File Transfer Tools

In a alarming cybersecurity breach uncovered by Cisco Talos in 2023, a critical infrastructure enterprise fell victim to a meticulously orchestrated attack involving multiple threat actors.

The initial access broker, identified as “ToyMaker” with medium confidence as a financially motivated entity, exploited vulnerabilities in internet-facing servers to infiltrate the network.

A Sophisticated Multi-Actor Attack on Critical Infrastructure

Using a custom backdoor named “LAGTOY,” ToyMaker executed rapid reconnaissance, credential harvesting, and backdoor deployment across numerous hosts within a week.

Their tactics included dual-use remote administration tools, SSH utilities, and file transfer mechanisms, setting the stage for a secondary actor to escalate the attack.

ToyMaker HackersToyMaker Hackers
Metasploit shellcode communicating with the remote server.

After a three-week lull, access was handed over to the Cactus ransomware gang, notorious for double extortion schemes, who leveraged stolen credentials to deepen the compromise through network proliferation, data exfiltration, and ransomware deployment.

From Initial Breach to Double Extortion Tactics

ToyMaker’s initial moves involved system information discovery with commands like “whoami” and “ipconfig,” alongside creating fake user accounts such as ‘support’ for persistence.

They deployed the LAGTOY implant, a sophisticated backdoor also known as HOLERUN by Mandiant, which communicates with a hardcoded C2 server over port 443 using raw sockets, bypassing expected TLS protocols.

LAGTOY execution logic.

LAGTOY, installed as a service named ‘WmiPrvSV,’ features anti-debugging measures and time-based execution logic, ensuring stealthy operation with sleep intervals and watchdog routines.

Credential extraction was facilitated by tools like Magnet RAM Capture, with harvested data archived using 7za.exe and exfiltrated via PuTTY’s SCP utility.

Following the handover, Cactus conducted extensive endpoint enumeration, server scans, and data archiving for extortion, utilizing tools like AnyDesk, eHorus, and OpenSSH for long-term access.

Their operations included deleting volume shadow copies, modifying boot recovery settings, and deploying ransomware through malicious accounts, while meticulously covering tracks by clearing command histories and network logs.

This attack underscores the compartmentalized yet interconnected nature of modern cyber threats, where initial access brokers like ToyMaker pave the way for ransomware affiliates like Cactus.

According to the Report, Cisco Talos emphasizes the need for distinct threat modeling for such actors, proposing new methodologies to track these relationships in future analyses.

The disparity in tactics, techniques, and procedures (TTPs) between the two groups highlights the evolving complexity of cybercriminal ecosystems, necessitating robust endpoint security and network monitoring solutions to detect and mitigate such multi-stage attacks.

Indicators of Compromise (IOCs)

CategoryDetails
LAGTOY Hashfdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826
Metasploit ShellsMultiple hashes including 0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867
ToyMaker Network IOCs209.141.43.37, 194.156.98.155, 158.247.211.51, 39.106.141.68, others
Cactus Network IOCs206.188.196.20, 51.81.42.234, 178.175.134.52, 162.33.177.56, others

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago