Introducing Toymaker, an Initial Access Broker Working in Cahoots with Double Extortion Gangs

    Friday, April 25, 2025 In: Threat Research Print

    Date: 04/25/2025

    Severity: Medium

    Summary

    In 2023, "ToyMaker," an initial access broker (IAB), was discovered working with double extortion gangs. Believed to be financially motivated, ToyMaker exploits internet-exposed vulnerabilities to deploy a custom backdoor called "LAGTOY" on victim systems, allowing access and credential extraction. LAGTOY enables reverse shells and command execution. After compromising systems, ToyMaker hands over access to groups like Cactus, a double extortion gang, which employs its own tactics to further exploit the victim's network.

    Indicators of Compromise (IOC) List

    IP Address

    209.141.43.37

    194.156.98.155

    158.247.211.51

    39.106.141.68

    47.117.165.166

    195.123.240.2

    75.127.0.235

    149.102.243.100

    206.188.196.20

    51.81.42.234

    178.175.134.52

    162.33.177.56

    64.52.80.252

    162.33.178.196

    103.199.16.92

    Hash

    fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826

    0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867

    0bcfea4983cfc2a55a8ac339384ecd0988a470af444ea8f3b597d5fe5f6067fb

    5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d

    691cc4a12fbada29d093e57bd02ca372bc10968b706c95370daeee43054f06e3

    70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de

    a95930ff02a0d13e4dbe603a33175dc73c0286cd53ae4a141baf99ae664f4132

    c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("51.81.42.234","158.247.211.51","39.106.141.68","162.33.178.196","64.52.80.252","149.102.243.100","194.156.98.155","162.33.177.56","103.199.16.92","209.141.43.37","206.188.196.20","75.127.0.235","47.117.165.166","195.123.240.2","178.175.134.52") or srcipaddress IN ("51.81.42.234","158.247.211.51","39.106.141.68","162.33.178.196","64.52.80.252","149.102.243.100","194.156.98.155","162.33.177.56","103.199.16.92","209.141.43.37","206.188.196.20","75.127.0.235","47.117.165.166","195.123.240.2","178.175.134.52")

    Detection Query 2

    sha256hash IN ("5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d","0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867","0bcfea4983cfc2a55a8ac339384ecd0988a470af444ea8f3b597d5fe5f6067fb","70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de","691cc4a12fbada29d093e57bd02ca372bc10968b706c95370daeee43054f06e3","fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826","a95930ff02a0d13e4dbe603a33175dc73c0286cd53ae4a141baf99ae664f4132","c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b")

    Reference:  

    https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/


    Tags

    LAGTOYBackdoorExploitCactusRATCredentialTheftMalwareThreat ActorToyMaker

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.