In May 2025, cybersecurity researchers from Cisco Talos and The Vertex Project announced a groundbreaking methodology to combat the rising trend of compartmentalized cyberattacks, where multiple threat actors collaborate to execute distinct stages of an intrusion.
This shift from single-actor campaigns to decentralized, multi-operator models has rendered traditional threat analysis frameworks obsolete, enabling adversaries to evade detection and complicate attribution.
The new approach, detailed in a joint whitepaper, integrates an extended Diamond Model with a “Relationship Layer” to map interactions between adversaries, infrastructure, capabilities, and victims across fragmented kill chains.
.png
)
.webp)
Compartmentalized attacks typically involve initial access brokers (IABs) like the financially motivated ToyMaker group, which specialize in infiltrating networks and selling access to ransomware operators or state-sponsored actors.
For example, in a 2023 campaign, ToyMaker deployed the custom LAGTOY backdoor to establish persistence in a victim’s environment, exfiltrated credentials, and later transferred control to the Cactus ransomware group.
Such handoffs create operational blind spots, as defenders often misattribute early-stage tactics (e.g., credential theft) to the final payload deployers.
Cisco Talos analysts identified that 67% of ransomware incidents in 2024 involved IABs, highlighting the critical need for updated threat-modeling frameworks.
“Compartmentalization isn’t just a tactic-it’s a business model,” noted Edmund Brumaghin, lead researcher at Cisco Talos.
“Adversaries now operate like supply chains, outsourcing delivery, tooling, and monetization. Defenders must track relationships, not just endpoints.”
Infection Mechanism: How Initial Access Brokers Seed Compromise
The ToyMaker group epitomizes the technical sophistication of modern IABs. Their attacks begin with spear-phishing campaigns distributing malicious ISO files disguised as invoices.
.webp)
Once opened, these files execute a PowerShell script (deploy.ps1) that fetches a second-stage payload from a Traffic Distribution Service (TDS) operated by a third party.
The payload, LAGTOY, uses reflective DLL injection to bypass memory scanners and establishes persistence via a crafted Windows Scheduled Task:-
# Scheduled Task XML snippet for LAGTOY persistence
powershell.exe -EncodedCommand JABiAGEAdABjAGgAIAA9ACAAJwB3AGkAbgBkAG8AdwBzAFwAcwB5AHMAdABlAG0AIgA6ADEAMgAzADQAJwA7
-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden LAGTOY’s command-and-control (C2) communication uses RC4 encryption with dynamic keys exchanged via HTTPS to evade signature-based detection.
The malware exfiltrates credentials using PuTTY’s private key files (ppk) stored on compromised servers, which are then relayed to ransomware affiliates like Cactus.
Crucially, ToyMaker’s infrastructure-often bulletproof hosting services-is shared with unrelated threat actors, making IoC-based attribution unreliable.
The handoff to Cactus occurs after a 3-week dormancy period, during which ToyMaker scrubs traces of their activity.
Cactus operators then authenticate using stolen credentials, deploy lateral movement tools like SoftPerfect Network Scanner, and execute ransomware payloads.
This staggered approach, visualized in, exploits defenders’ tendency to treat intrusions as monolithic events.
Defensive Implications and the Role of the Relationship Layer
The extended Diamond Model addresses these challenges by annotating transactional relationships (e.g., “purchased from” or “handover from”) between threat actors.
For instance, in the extended Diamond Model, ToyMaker’s infrastructure is linked to Cactus’ operations via a broker relationship, enabling analysts to cluster indicators without conflating distinct adversaries.
.webp)
Cisco Talos recommends hunting for asynchronous TTPs, such as credential dumping followed by anomalous lateral movement weeks later, to identify handoffs. Organizations are advised to correlate IAB-linked IoCs (e.g., LAGTOY hashes) with ransomware intelligence feeds, as 89% of IAB victims face secondary exploitation within 45 days.
By reframing intrusions as collaborative ecosystems, defenders can prioritize disrupting adversary relationships-not just endpoints-marking a paradigm shift in cybersecurity strategy.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
