Cybersecurity researchers have identified an initial access broker named ToyMaker that facilitates access for ransomware groups, particularly CACTUS. ToyMaker deploys a custom malware called LAGTOY, which creates reverse shells and executes commands on infected systems. Using known vulnerabilities in web applications, ToyMaker manages reconnaissance and credential harvesting swiftly. After acquiring credentials, it has been observed handing over access to CACTUS, indicating a well-structured cybercriminal network. The activity indicates a financially motivated threat actor, capable of manipulating security flaws for malicious intent.
LAGTOY can be used to create reverse shells and execute commands on infected endpoints, allowing attackers to maintain control over compromised systems.
The attackers have been observed leveraging a huge arsenal of known security flaws in internet-facing applications to obtain initial access, followed by conducting reconnaissance.
After a lull in activity of approximately three weeks, we observed the CACTUS ransomware group make its way into the victim enterprise using credentials stolen by ToyMaker.
Based on the relatively short dwell time, the lack of data theft and the subsequent handover to CACTUS, it is unlikely that ToyMaker acts alone.
Collection
[
|
...
]