In 2023, cybersecurity experts uncovered a large-scale compromise involving critical infrastructure enterprises by a threat actor group known as ToyMaker. This group exploited vulnerabilities in internet-facing systems, deploying custom backdoors to extract credentials from victim organizations. ToyMaker employed SSH file transfer utilities and remote administration tools to maintain persistent access to compromised networks. The group’s primary goal seemed financially motivated, as they would pass control to the Cactus ransomware group for further exploitation.
The relationship between ToyMaker and Cactus is concerning, as it reflects a growing trend in cybercrime. Specialized groups now focus on specific aspects of the attack chain instead of conducting the entire operation themselves. ToyMaker established initial access through compromised systems, then transferred control to the Cactus gang, who deployed ransomware and used double extortion tactics. Researchers at Cisco Talos identified the primary backdoor used by ToyMaker, named “LAGTOY,” which provides remote access capabilities to infected systems.
LAGTOY functions as a persistent threat tool within ToyMaker’s arsenal. It connects to command-and-control (C2) servers, executing commands on infected systems.
The malware operates under the Windows service “WmiPrvSV” and uses raw socket connections to bypass encryption inspection mechanisms. This allows LAGTOY to maintain communication with its C2 server over port 443, without employing the usual TLS encryption, evading traditional detection techniques.
Once ToyMaker gains access, it typically remains dormant for up to three weeks.
After this period, control is handed over to Cactus operators, who deploy their own tools for lateral movement, data exfiltration, and ransomware deployment. This compartmentalization in cybercriminal operations highlights the increasing complexity and specialization of modern threat actors. The carefully orchestrated nature of these attacks makes them highly effective and difficult to detect.
