In 2023, cybersecurity experts uncovered an extensive compromise in critical infrastructure enterprises by a sophisticated threat actor group.
This initial access broker, dubbed “ToyMaker,” systematically exploited vulnerable internet-facing systems before deploying custom backdoors to extract credentials from victim organizations.
Their methodology involved a carefully orchestrated approach using SSH file transfer utilities and remote administration tools to maintain persistent access to compromised networks.
.png
)
The threat actor’s primary objective appears to be financially motivated, with ToyMaker establishing initial access and then transferring control to secondary actors, specifically the Cactus ransomware group.
This relationship between ToyMaker and Cactus represents a concerning trend in the cybercriminal ecosystem, where specialized groups focus on specific aspects of an attack chain rather than executing end-to-end operations themselves.
Cisco Talos researchers identified ToyMaker’s signature backdoor, called “LAGTOY,” which provides remote access capabilities to infected systems.
The backdoor enables threat actors to establish reverse shells and execute arbitrary commands on compromised endpoints.
Following credential extraction, ToyMaker typically hands over access to the Cactus gang, who subsequently deploy ransomware and engage in double extortion tactics.
The infection chain begins with ToyMaker exploiting vulnerable internet-facing servers, followed by rapid reconnaissance commands to gather system information.
The attackers then create fake user accounts, typically named “support,” and add them to administrative groups. Investigation revealed that ToyMaker uses Windows OpenSSH packages to establish listeners on compromised endpoints before deploying their credential harvesting tools.
LAGTOY Backdoor: Technical Analysis
LAGTOY, also known as “HOLERUN” by Mandiant, represents the primary persistent threat tool in ToyMaker’s arsenal.
The backdoor is designed to periodically connect to hardcoded command and control (C2) servers, receiving and executing commands on infected systems.
The malware operates as a Windows service named “WmiPrvSV” and implements rudimentary anti-debugging techniques to evade analysis.
The backdoor’s execution logic establishes communication with its C2 server over port 443, though notably without employing TLS encryption.
.webp)
Instead, it uses raw socket connections, allowing it to bypass standard encryption inspection mechanisms.
if ( v1 )
{
memset(MultiByteStr, 0, 0x1820ui64);
v2 = v1;
v3 = v7 + 2i64 * v1 - 2;
if ( v1 != 1 || *(_WORD *)v3 != 10 && *(_WORD *)v3 != 13 )
{
do
{
v4 = *(_WORD *)v3;
v3 -= 2i64;
if ( v4 == 10 || v4 == 13 )
*(_WORD *)(v3 + 2) = 0;
--v2;
}
while ( v2 );LAGTOY’s command structure reveals three primary control codes: ‘#pt’ to stop the service, ‘#pd’ to break execution chains, and ‘#ps’ to create processes or execute commands.
The malware implements a unique time-based execution logic that allows it to determine when to execute commands versus when to sleep.
This mechanism includes a watchdog routine that reinitializes connections if running for more than 60 minutes, demonstrating sophisticated persistence capabilities.
.webp)
The overall timing and C2 communications logic implemented by LAGTOY shows the malware’s ability to process three commands from the C2 with a sleep interval of 11,000 milliseconds between them.
This carefully architected communication pattern helps minimize detection while maintaining operational efficiency for the threat actors.
After establishing access, ToyMaker typically remains dormant for approximately three weeks before Cactus operators take over the access, deploying their own toolset for lateral movement, data exfiltration, and ultimately ransomware deployment – showcasing the increasingly compartmentalized nature of modern cybercriminal operations.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
