Introducing ToyMaker
April 23, 2025, 10:56 p.m.
Description
The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
Tags
Date
- Created: April 23, 2025, 10:12 p.m.
- Published: April 23, 2025, 10:12 p.m.
- Modified: April 23, 2025, 10:56 p.m.
Indicators
- fdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826
- c1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b
- 70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de
- 5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d
- 0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867
- 51.81.42.234
- 39.106.141.68
- 47.117.165.166
- 209.141.43.37
- 194.156.98.155
- 178.175.134.52
- 162.33.178.196
- 162.33.177.56
- 158.247.211.51
- 149.102.243.100
- 103.199.16.92
- 75.127.0.235
- 64.52.80.252
- 206.188.196.20
- 195.123.240.2