LAGTOY
LAGTOY, also known as HOLERUN, is a custom backdoor associated with the financially motivated initial access activity cluster ToyMaker and previously reported by Mandiant as used by UNC961 (also referred to as Gold Melody and Prophet Spider). Cisco Talos assessed LAGTOY/HOLERUN as the same malware family. The malware is used after exploitation of known vulnerabilities in internet-facing applications, with ToyMaker scanning for vulnerable systems, gaining initial access, conducting reconnaissance and credential harvesting, and deploying LAGTOY within about a week of compromise. In Talos reporting on the 2023 ToyMaker campaign, attackers compromised a victim server, exfiltrated credentials, and deployed LAGTOY during an initial wave of activity; roughly three weeks later, the CACTUS ransomware group used the stolen credentials in a separate follow-on intrusion, supporting an access handoff model.
LAGTOY is designed to contact a hard-coded command-and-control server to retrieve commands for execution. Reported capabilities include creating reverse shells, executing commands on infected endpoints, creating processes, and running commands under specified users with corresponding privileges. Mandiant reported that it can process three commands from its C2 server with an 11,000 millisecond sleep interval between them. In observed intrusions, ToyMaker also used SSH to download Magnet RAM Capture and obtained memory dumps likely for credential theft. High-confidence associations in the provided content link LAGTOY to ToyMaker/UNC961 initial access operations and identify infected hosts as potential precursors to later CACTUS ransomware activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Talos investigated the ToyMaker campaign in 2023... [attackers] exfiltrated credentials and deployed the proprietary LAGTOY backdoor... We discovered that this backdoor is the same as HOLERUN, which Mandiant reported as being used by UNC961.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware used by an initial access broker (ToyMaker) to establish/enable access later sold to ransomware gangs (e.g., CACTUS).
Proprietary backdoor deployed post-compromise by the ToyMaker/UNC961 initial access group; assessed as a fallback/last-resort access channel and a precursor indicator for follow-on ransomware activity (e.g., access handoff to Cactus).
Custom backdoor used by the Toymaker initial access broker group to create reverse shells and execute commands on compromised enterprise systems.
Custom backdoor/RAT used by an initial access broker to establish remote command execution (including reverse shells), contact a hard-coded C2 to retrieve commands, create processes, and run commands under specified user contexts/privileges.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.