Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns.
The Proofpoint Threat Research Team described the threat activity cluster as sophisticated, leveraging web injections and filtering checks as part of its attack chains.
“TA585 is notable because it appears to own its entire attack chain with multiple delivery techniques,” researchers Kyle Cucci, Tommy Madjar, and Selena Larson said. “Instead of leveraging other threat actors – like paying for distribution, buying access from initial access brokers, or using a third-party traffic delivery system – TA585 manages its own infrastructure, delivery, and malware installation.”
MonsterV2 is a remote access trojan (RAT), stealer, and loader, which Proofpoint first observed being advertised on criminal forums in February 2025. It’s worth noting that MonsterV2 is also called Aurotun Stealer (a misspelling of “autorun”) and has been previously distributed via CastleLoader (aka CastleBot).
Phishing campaigns distributing the malware have been observed using U.S. Internal Revenue Service (IRS) themed lures to trick users into clicking on fake URLs that direct to a PDF, which, in turn, links to a web page employing the ClickFix social engineering tactic to activate the infection by running a malicious command in the Windows Run dialog or PowerShell terminal. The PowerShell command is designed to execute a next-stage PowerShell script that deploys MonsterV2.
Subsequent attack waves detected in April 2025 have resorted to malicious JavaScript injections on legitimate websites that serve fake CAPTCHA verification overlays to initiate the attack via ClickFix, ultimately leading to the delivery of the malware via a PowerShell command.
Initial iterations of this campaign distributed Lumma Stealer, before TA585 switched to MonsterV2 in early 2025. Interestingly, the JavaScript inject and the associated infrastructure (intlspring[.]com) have also been linked to the distribution of Rhadamanthys Stealer.
A third set of campaigns undertaken by TA585 has made use of email notifications from GitHub that are triggered when tagging GitHub users in bogus security notices that contain URLs leading to actor-controlled websites.
Both the activity clusters – that revolve around web injects and phony GitHub alerts — have been associated with CoreSecThree, which, according to PRODAFT, is a “sophisticated framework” that’s known to be active since February 2022 and has been “consistently” used to propagate stealer malware.
MonsterV2 is a full-featured malware that can steal sensitive data, act as a clipper by replacing cryptocurrency addresses in the infected systems’ clipboard with threat actor-provided wallet addresses, establish remote control using Hidden Virtual Network Computing (HVNC), receive and execute…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
