The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. Author: AlienVault
Related Tags:
bugsleep
holerun
capture
magnet ram
toymaker
LAGTOY
initial access broker
Cactus
winscp
Associated Indicators:
C1BD624E83382668939535D47082C0A6DE1981EF2194BB4272B62ECC7BE1FF6B
0A367CC7E7E297248FAD57E27F83316B7606788DB9468F59031FED811CFE4867
5831B09C93F305E7D0A49D4936478FAC3890B97E065141F82CDA9A0D75B1066D
149.102.243.100
209.141.43.37
162.33.178.196
47.117.165.166
206.188.196.20
75.127.0.235