MonsterV2 phishing delivery and payload capabilities
Malware Activity
Summary
Hide ▲
Show ▼
TA585 is a newly identified cybercriminal group delivering MonsterV2 through its own phishing and malware infrastructure. Proofpoint says MonsterV2 was first advertised in February 2025, and TA585 uses compromised websites, fake CAPTCHA/ClickFix pages, and PowerShell to push infections. The activity later expanded into a GitHub-themed campaign that abused notifications and fake security alerts, with some attacks also distributing Rhadamanthys.
Related Happenings
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score25
First: 30.04.2026 21:58
Last: 30.04.2026 21:58
Sources 1
About this happening:
Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Bluekit alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...
Latest development: 25.06.2026 18:00
Bluekit phishing-as-a-service added browser-in-the-middle (BitM) login theft and nearly 70 new hostnames over the past week. Netcraft said the kit now uses the open-source JavaScript library rrweb to serialize the page DOM and stream it over a WebSocket connection, while the live 5-second monitoring system and victim qualification checks remain in use.
Timeline
-
14.10.2025 08:28 3 articles · 8mo ago
TA585 and MonsterV2 disclosure
Initial DisclosureProofpoint researchers disclosed TA585 as a previously undocumented threat actor using phishing campaigns, web injections, IRS-themed lures, fake CAPTCHA/ClickFix pages, and malicious JavaScript injections to deliver MonsterV2, a malware family also called Aurotun Stealer. The campaign history described in the disclosure includes MonsterV2 being first observed advertised on criminal forums in February 2025, an earlier switch from Lumma Stealer to MonsterV2 in early 2025, and later attack waves in April 2025 that used legitimate websites with fake CAPTCHA overlays and PowerShell-based delivery.
Show sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00