Who is the ToyMaker?
A lot of effort goes into tracking and reporting on the ransomware threat and those who launch the attacks. Given the sheer number of ransomware attacks and the money that can be made by those with no moral compass, this isn’t exactly surprising. No surprise, either, that some are willing to pay good money to those willing to snitch on ransowmare threat groups. What is surprising, however, is that less time and resources seem to go into researching the people who enable ransomware attackers. I’m talking about initial access brokers who, like it says in the tin, are the ones who open the doors to your systems for the ransomware attackers to exploit. Initial access brokers like the ToyMaker.
Who Is The ToyMaker?
As I have already reported, ransomware attacks have surged by 132% despite a 35% drop in payments in the first quarter of 2025. Social engineering, adversary-in-the-middle attacks and information-stealing malware have all contributed to this ransomware resurgence. Welcome to the world of the initial access broker. Leaks from within the ransomware gangs themselves have shown that initial access brokers play a pivotal role in the success of any attack. The ToyMaker is an initial access broker and, according to a new report from researchers at Cisco Talos, a very dangerous one indeed.
In their deep dive into the world of the ToyMaker, Cisco Talos threat intelligence researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura and Brandon White have revealed just how dangerous this mysterious figure is.
The ToyMaker isn’t motivated by politics or tied to any nation-state espionage groups, but rather is, the threat intelligence experts said with medium confidence, a financially motivated threat actor. The job that they do is simple: exploit vulnerable systems that are exposed to the internet. Well, I say simple, but the methods used and the consequences of success are anything but. The ToyMaker deploys a custom-coded backdoor called lagtoy, which can steal credentials from the target system it is installed upon, as well as create reverse shells and execute commands on infected endpoints. This is not a toy to be played around with lightly. “A compromise by lagtoy may result in access handover to a secondary threat actor,” Cisco Talos warned, specifically, a double extortion ransomware group known as Cactus.
The ToyMaker is also a speedy operator when it comes to deploying these malicious toys. “ToyMaker performed preliminary reconnaissance, credential extraction and backdoor deployment within the span of a week,” Cisco Talos said. As is the case with initial access brokers, that would then signal the end of the ToyMaker’s involvement in the attack. After a three-week pause, the Cactus ransomware group strikes using the credentials stolen by the ToyMaker.