The new strategy is explained in a joint whitepaper. It builds on the Diamond Model of Intrusion Analysis by adding a “Relationship Layer.” This layer maps connections between attackers, infrastructure, tools, and victims—even across separate phases of an attack.
How Compartmentalized Attacks Work
These attacks often start with Initial Access Brokers (IABs), such as the ToyMaker group. ToyMaker specializes in breaching networks and then selling that access to other actors, including ransomware groups or state-sponsored teams.
In one 2023 case, ToyMaker used a custom backdoor named LAGTOY to remain inside a network. They stole user credentials and later handed off control to the Cactus ransomware group.
This kind of handoff often confuses defenders. They might mistake early-stage activities like credential theft as being part of the final ransomware deployment.
In 2024, Cisco Talos found that 67% of ransomware incidents involved IABs. This trend shows the urgent need for new frameworks to model such attacks.
“Compartmentalization isn’t just a tactic—it’s a business model,” said Edmund Brumaghin, lead researcher at Cisco Talos. “Adversaries now operate like supply chains. They outsource access, tools, and monetization. Defenders need to track relationships, not just systems.”
Inside the Attack Chain: ToyMaker’s Infection Process
ToyMaker’s operations show the complexity of modern IAB attacks. They begin with spear-phishing emails that include malicious ISO files pretending to be invoices.
Once opened, the file runs a PowerShell script named deploy.ps1. This script downloads a second-stage payload from a third-party Traffic Distribution System (TDS).
The downloaded malware, LAGTOY, uses reflective DLL injection to hide from memory scanners. It creates a Windows Scheduled Task to maintain persistence:
# Scheduled Task Example for LAGTOY powershell.exe -EncodedCommand JABiAGEAdABjAGgAIAA9ACAAJwB3AGkAbgBkAG8AdwBzAFwAcwB5AHMAdABlAG0AIgA6ADEAMgAzADQAJwA7 -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden
LAGTOY communicates with its command-and-control (C2) server using RC4 encryption over HTTPS. This helps it avoid detection by signature-based tools.
The malware steals login credentials from PuTTY’s private key files on infected systems. These credentials are passed to ransomware groups like Cactus.
ToyMaker uses bulletproof hosting services that are often shared with other cybercriminals. This makes attribution based on infrastructure unreliable.
After remaining quiet for three weeks, ToyMaker removes its traces and hands over the network to Cactus. Cactus then uses the stolen credentials to move laterally and deploy ransomware.
New Model Focuses on Relationships, Not Just Artifacts
The updated Diamond Model helps defenders make sense of these complex handoffs. It adds context about relationships—such as when one actor buys access from another.
For example, ToyMaker’s infrastructure is labeled as being used by Cactus through a brokered relationship. This lets analysts connect the dots without assuming both actors are the same group.
Cisco Talos urges defenders to watch for delayed attack stages. One sign could be credential theft followed weeks later by unusual lateral movement.
Organizations should match IAB indicators—like LAGTOY file hashes—with ransomware threat intelligence. Research shows that 89% of IAB victims are hit again within 45 days.
By viewing intrusions as cooperative efforts between threat actors, defenders can focus on breaking those relationships. This approach could change how cybersecurity teams respond to modern threats.
