TA585 Using MonsterV2 in Phishing Campaigns
Summary
Hide ▲
Show ▼
TA585, a sophisticated threat actor, has been actively delivering the MonsterV2 malware via phishing campaigns since February 2025. The group manages its own infrastructure and employs multiple delivery techniques, including IRS and SBA-themed lures, malicious JavaScript injections, and fake CAPTCHA verifications. MonsterV2, also known as Aurotun Stealer, is a versatile malware capable of stealing sensitive data, acting as a clipper, establishing remote control, and executing commands from a C2 server. The malware is sold by a Russian-speaking actor and is typically packed using a C++ crypter called SonicCrypt to evade detection. TA585's campaigns have also included GitHub-themed lures and the distribution of other malware, such as Rhadamanthys. MonsterV2 avoids infecting systems in Commonwealth of Independent States (CIS) countries.
Timeline
-
14.10.2025 08:28 2 articles · 15h ago
TA585 Delivers MonsterV2 via Phishing Campaigns
TA585 has been observed delivering the MonsterV2 malware via sophisticated phishing campaigns since February 2025. The campaigns use IRS and SBA-themed lures, malicious JavaScript injections, and fake GitHub notifications to trick users into activating the infection. The malware is sold by a Russian-speaking actor and is packed using SonicCrypt to evade detection. MonsterV2 can steal sensitive data, act as a clipper, establish remote control, and execute commands from a C2 server. TA585's campaigns have also included GitHub-themed lures and the distribution of other malware, such as Rhadamanthys. The malware is written in C++, Go, and TypeScript, featuring robust encryption and self-protection measures.
Show sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
Information Snippets
-
TA585 is a threat actor that manages its own infrastructure, delivery, and malware installation.
First reported: 14.10.2025 08:282 sources, 2 articlesShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
MonsterV2 is a remote access trojan (RAT), stealer, and loader.
First reported: 14.10.2025 08:282 sources, 2 articlesShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
MonsterV2 is also known as Aurotun Stealer and has been distributed via CastleLoader.
First reported: 14.10.2025 08:282 sources, 2 articlesShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
Phishing campaigns use IRS-themed lures and fake CAPTCHA verifications to deliver MonsterV2.
First reported: 14.10.2025 08:282 sources, 2 articlesShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
MonsterV2 is sold by a Russian-speaking actor for $800 USD per month for the 'Standard' edition and $2,000 USD per month for the 'Enterprise' version.
First reported: 14.10.2025 08:282 sources, 2 articlesShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
MonsterV2 is packed using a C++ crypter called SonicCrypt to evade detection.
First reported: 14.10.2025 08:281 source, 1 articleShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
-
MonsterV2 avoids infecting systems in Commonwealth of Independent States (CIS) countries.
First reported: 14.10.2025 08:282 sources, 2 articlesShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
MonsterV2 can steal sensitive data, act as a clipper, establish remote control, and execute commands from a C2 server.
First reported: 14.10.2025 08:282 sources, 2 articlesShow sources
- Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain — thehackernews.com — 14.10.2025 08:28
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
TA585's campaigns began in February 2025, using IRS and SBA-themed lures with the ClickFix technique to deliver MonsterV2.
First reported: 14.10.2025 18:001 source, 1 articleShow sources
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
TA585 uses compromised websites to host malicious JavaScript and employs a fake CAPTCHA overlay for delivery.
First reported: 14.10.2025 18:001 source, 1 articleShow sources
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
TA585 expanded its attack channels in 2025 with a GitHub-themed campaign exploiting the platform's notification system.
First reported: 14.10.2025 18:001 source, 1 articleShow sources
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
MonsterV2 is written in C++, Go, and TypeScript, featuring robust encryption and self-protection measures.
First reported: 14.10.2025 18:001 source, 1 articleShow sources
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
MonsterV2 includes capabilities such as remote desktop control through HVNC, webcam recording, and screenshot capture.
First reported: 14.10.2025 18:001 source, 1 articleShow sources
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
-
Proofpoint observed ongoing development of MonsterV2, with frequent updates and minor fixes.
First reported: 14.10.2025 18:001 source, 1 articleShow sources
- Hacker Group TA585 Emerges With Advanced Attack Infrastructure — www.infosecurity-magazine.com — 14.10.2025 18:00
Similar Happenings
WordPress Sites Exploited for ClickFix Phishing Attacks
WordPress sites are being exploited to inject malicious JavaScript that redirects users to phishing pages. The attacks use a theme-related file to load a dynamic payload from a remote server, which includes a JavaScript file and a hidden iframe mimicking legitimate Cloudflare assets. The domain involved is part of a traffic distribution system (TDS) known as Kongtuke. The campaign highlights the need for securing WordPress sites and keeping software up-to-date. Additionally, a new phishing kit named IUAM ClickFix Generator allows attackers to create customizable phishing pages mimicking browser verification challenges. This kit has been used to deploy information stealers like DeerStealer and Odyssey Stealer. The emergence of such tools lowers the barrier to entry for cybercriminals, enabling sophisticated, multi-platform attacks. A new ClickFix campaign employs cache smuggling to evade detection, using the browser's cache to store malicious data without downloading files or communicating with the internet. The attack masquerades as a Fortinet VPN Compliance Checker, executing an obfuscated payload via a PowerShell script.
Raven Stealer Exfiltrates Chromium Data via Telegram
Raven Stealer, a new lightweight infostealer, targets Chromium-based browsers and other applications to steal credentials and sensitive data. It uses Telegram for exfiltration, evading conventional security filters. The malware is distributed via underground forums and cracked software, posing a threat to both personal and enterprise environments. It operates with minimal user interaction and maintains a high level of operational concealment. Raven Stealer harvests cookies, autofill entries, browsing history, and other data from Chromium-based browsers like Google Chrome and Microsoft Edge. It also steals credentials from other applications and performs real-time data exfiltration via integration with a Telegram bot. The malware is promoted via a dedicated Telegram channel, integrating the chat app for command-and-control operations.
UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages
The FileFix social engineering attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.