Introducing ToyMaker

April 23, 2025, 10:56 p.m.

Description

The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.

Date

  • Created: April 23, 2025, 10:12 p.m.
  • Published: April 23, 2025, 10:12 p.m.
  • Modified: April 23, 2025, 10:56 p.m.

Indicators

  • fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826
  • c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b
  • 70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de
  • 5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d
  • 0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867
  • 51.81.42.234
  • 39.106.141.68
  • 47.117.165.166
  • 209.141.43.37
  • 194.156.98.155
  • 178.175.134.52
  • 162.33.178.196
  • 162.33.177.56
  • 158.247.211.51
  • 149.102.243.100
  • 103.199.16.92
  • 75.127.0.235
  • 64.52.80.252
  • 206.188.196.20
  • 195.123.240.2

Attack Patterns

  • LAGTOY
  • Cactus