LAGTOY
LAGTOY is a custom backdoor malware family used by the financially motivated initial access actor ToyMaker and identified by Mandiant as the same malware family as HOLERUN, which has been associated with UNC961. Talos reported ToyMaker exploiting known vulnerable internet-facing systems to gain access to high-value targets, including critical infrastructure organizations, then deploying LAGTOY on infected Windows endpoints. The malware is used to create reverse shells and execute commands on compromised machines, enabling post-compromise access and credential theft operations prior to access handoff to downstream ransomware actors such as Cactus. In the reported 2023 intrusion, ToyMaker used Magnet RAM Capture to dump memory, archived the dumps with 7za.exe, exfiltrated them with pscp.exe, and likely harvested credentials before later access was used by Cactus.
Talos reported that LAGTOY was persisted as a Windows service named "WmiPrvSV". It communicates with a hard-coded command-and-control server over TCP port 443 using raw sockets rather than TLS, includes anti-debugging logic via kernel32!SetUnhandledExceptionFilter(), and supports command handling including codes such as "#pt", "#pd", and "#ps". Talos also assessed with high confidence that LAGTOY contains novel time-based execution logic unique to the malware family. Additional reported behavior includes contacting a hard-coded C2 server to retrieve commands, creating processes, and running commands under specified users with corresponding privileges. Mandiant reported that the malware can process three commands from its C2 with an 11,000 millisecond sleep interval between them.
High-confidence associations in the content tie LAGTOY/HOLERUN to ToyMaker, UNC961, and follow-on ransomware activity involving Cactus; Talos also noted public reporting that UNC961 activity has preceded Maze and Egregor deployments by distinct follow-on actors. Known indicators and artifacts directly mentioned in the content include the Windows service name "WmiPrvSV", raw-socket C2 over port 443, and the malware alias HOLERUN.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Talos tracked an IAB named ToyMaker and disclosed that the threat actor uses a homegrown backdoor called LAGTOY to steal victims’ credentials.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Talos tracked an IAB named ToyMaker and disclosed that the threat actor uses a homegrown backdoor called LAGTOY to steal victims’ credentials. ToyMaker, which used the LAGTOY backdoor to create a reverse shell, subsequently passed on access to secondary threat actors, most notably the Cactus group.
Persistence
2 techniques
Persistence
Talos tracked an IAB named ToyMaker and disclosed that the threat actor uses a homegrown backdoor called LAGTOY to steal victims’ credentials. ToyMaker, which used the LAGTOY backdoor to create a reverse shell, subsequently passed on access to secondary threat actors, most notably the Cactus group.
Privilege Escalation
2 techniques
Privilege Escalation
Talos tracked an IAB named ToyMaker and disclosed that the threat actor uses a homegrown backdoor called LAGTOY to steal victims’ credentials. ToyMaker, which used the LAGTOY backdoor to create a reverse shell, subsequently passed on access to secondary threat actors, most notably the Cactus group.
Stealth
1 technique
Stealth
Talos tracked an IAB named ToyMaker and disclosed that the threat actor uses a homegrown backdoor called LAGTOY to steal victims’ credentials. ToyMaker, which used the LAGTOY backdoor to create a reverse shell, subsequently passed on access to secondary threat actors, most notably the Cactus group.
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware used by an initial access broker (ToyMaker) to establish/enable access later sold to ransomware gangs (e.g., CACTUS).
Homegrown backdoor used to steal credentials and create a reverse shell, after which access was handed to secondary actors including Cactus.
Proprietary backdoor deployed post-compromise by the ToyMaker/UNC961 initial access group; assessed as a fallback/last-resort access channel and a precursor indicator for follow-on ransomware activity (e.g., access handoff to Cactus).
A custom implant used by ToyMaker to gain initial access to high-value targets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.