Introducing ToyMaker

216.73.217.22

· Published 23/04/2025 22:12 · Modified 23/04/2025 22:56

Essential information

Published: 23/04/2025 22:12
Modified: 23/04/2025 22:56
Tags: 2025-04-23 anydesk bugsleep cactus capture file transfer holerun impacket initial access broker lagtoy magnet ram metasploit persistence powershell ransomware ssh toymaker winscp
Related entities: 20 observables, 6 techniques (mitre), 2 malware

Description

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.

External references

https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
https://otx.alienvault.com/pulse/680965ec5fefc9e20eb4bef2

Introducing ToyMaker

Essential information

Description

Related entities

Observables (20)

Techniques (MITRE) (6)

Malware (2)

External references