DarkCrystal RAT aka DCRat – Active IOCs
April 28, 2025Multiple GitLab Products Vulnerabilities
April 28, 2025DarkCrystal RAT aka DCRat – Active IOCs
April 28, 2025Multiple GitLab Products Vulnerabilities
April 28, 2025Severity
High
Analysis Summary
ToyMaker, an initial access broker (IAB), has been actively selling access to ransomware groups like CACTUS, helping them carry out double extortion attacks. According to cybersecurity researchers, ToyMaker appears to be a financially motivated actor. They scan for vulnerable systems online and use custom malware known as LAGTOY (also called HOLERUN) to infect devices and establish control.
LAGTOY allows attackers to create reverse shells and execute various commands remotely on compromised machines. After gaining access, the malware contacts a hard-coded command-and-control (C2) server to receive and execute instructions.
ToyMaker exploit known vulnerabilities in internet-facing applications to breach organizations quickly. Within just a week, they perform reconnaissance, harvest credentials, and deploy LAGTOY to maintain access.
In a recent incident, after a short inactive period, the CACTUS ransomware gang used credentials stolen by ToyMaker to attack a victim organization.ToyMaker’s main goal appears to be selling access for profit. After gaining a foothold, CACTUS actors conduct their own surveillance, set up persistence using tools like OpenSSH, AnyDesk, and eHorus Agent, and then move to encrypt and exfiltrate data.
Impact
- Data Exfiltration
- Financial Loss
- Gain Access
Indicators of Compromise
IP
- 23.227.203.214
- 107.181.187.184
- 45.61.136.39
- 209.141.61.225
MD5
c55f4b123c645f9c5a1d00205ab2e61e
31c49b87463f4e4ce6ae4c442319d3a2
SHA-256
5dbae77cc7539a70070a1bc811f806c82e0ac11c05aa29e4465270e457153fb3
ec8fcc5f5bc33d9cbe3b1d14a2c39b94ce8230e7d99ba4913881d03a3f84ab3f
SHA1
4470bf3b9b59859c901608c41e5de2c077b3b092
144461b7606d81c07d41465ffcad17bd5cdf533d
URL
- https://ms-prod19-live.com/rehjhj8785780923853/abc
- https://ms-prod19-live.com/rehjhj8785780923853/cdef
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.