ToyMaker’s Troubling Trade: How Cybercriminals Sell Access to Ransomware Gangs

ToyMaker is the Robin Hood of cybercrime—but with a twist. Instead of robbing the rich to give to the poor, this initial access broker sells access to ransomware gangs like CACTUS. Using LAGTOY malware, ToyMaker secures credentials and hands over enterprises like they’re hot potatoes, proving even cyber villains have efficiency goals.

3P
Published: April 26, 2025 11:03 amAdded: April 26, 2025 at 4:20 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Bad news, folks! Apparently, ToyMaker isn’t just your childhood wooden toy enthusiast anymore. This initial access broker is now playing a high-stakes game of cyber chess with some ransomware heavyweights, and it’s leaving our digital dollhouses wide open! Looks like ToyMaker is more about making trouble than toys these days.

Key Points:

– ToyMaker is a financially motivated initial access broker working with ransomware gangs.
– Uses custom malware, LAGTOY, for creating reverse shells and executing commands on infected systems.
– LAGTOY communicates with a command-and-control server for instructions.
– The threat actor exploits known security flaws to gain initial access.
– After access is gained, ToyMaker hands over the credentials to ransomware groups like CACTUS.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?