Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TA585 phishing, web-injection, and ClickFix campaign

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

TA585 is running a phishing and web-injection campaign that uses IRS-themed lures, fake CAPTCHA/ClickFix pages, compromised websites, and bogus GitHub security notices to push users into installing malware. The operation matters because it combines multiple delivery paths across early 2025 and later 2025 attack waves to improve reach and reliability while steering victims toward payload execution. It has been linked to MonsterV2 delivery and to other payloads, including Rhadamanthys.

Related Happenings

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

TA416 European government espionage campaign

Campaign
First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Open Happening

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Open Happening

ClickFix compromised-site MIMICRAT campaign

Campaign
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **ClickFix campaign** is abusing **compromised legitimate sites** to deliver the **MIMICRAT** remote access trojan through a **multi-stage infection chain**, widening risk acr...

Open Happening

Timeline

  1. 14.10.2025 08:28 3 articles · 7mo ago

    TA585 delivers MonsterV2 through phishing and web injections

    Initial Disclosure

    TA585 uses phishing campaigns and web injections to deliver MonsterV2 through IRS-themed lures, fake CAPTCHA/ClickFix pages, malicious JavaScript injections on legitimate websites, and bogus GitHub security notices; the malware can steal data, act as a clipper, establish HVNC, execute commands, and download additional payloads.

    Show sources
    Open in new tab