Intel Name: Introducing toymaker, an initial access broker working in cahoots with double extortion gangs
Date of Scan: April 25, 2025
Impact: Medium
Summary: In 2023, “ToyMaker,” an initial access broker (IAB), was discovered working with double extortion gangs. Believed to be financially motivated, ToyMaker exploits internet-exposed vulnerabilities to deploy a custom backdoor called “LAGTOY” on victim systems, allowing access and credential extraction. LAGTOY enables reverse shells and command execution. After compromising systems, ToyMaker hands over access to groups like Cactus, a double extortion gang, which employs its own tactics to further exploit the victim’s network.
