Proofpoint has identified TA585 as a recently named cybercriminal threat actor that manages its entire cyber attack chain, including infrastructure, delivery, and malware installation.
Proofpoint researchers noted that TA585 operates with a high level of control over its campaigns, opting not to rely on third-party actors or platforms common in the cybercrime landscape. Instead, TA585 manages each step, from its malicious infrastructure to the actual delivery of malware, setting it apart in an ecosystem increasingly resembling the legitimate gig economy model. While TA585 controls much of its process, it sources its final malware payload from so-called Malware as a Service (MaaS) providers, such as Lumma Stealer, Rhadamanthys, and MonsterV2.
Threat actor actions
TA585 first came to the attention of Proofpoint researchers through campaigns observed from April 2025 onwards. These campaigns used unique web injects on legitimate but compromised websites to distribute malware to targets. The injections simulate fake CAPTCHA overlays, instructing visitors to manually run malicious PowerShell commands, a method commonly identified as the “ClickFix” technique. This method has previously been seen in U.S. government-themed lures, such as those imitating the Internal Revenue Service (IRS) or Small Business Administration (SBA), but these earlier incidents were not attributed to TA585.
According to Proofpoint, TA585’s targeting is primarily aimed at finance and accounting firms.
Its web inject campaigns also incorporate sophisticated filtering, ensuring only selected visitors are exposed to the malicious overlays. In addition to web injects, TA585 has been connected to GitHub-themed campaigns where legitimate users are tagged in fake security notices within GitHub issues. The resultant notification emails then contain shortened URLs leading to TA585-controlled websites, which use similar filtering and ClickFix strategies to deliver additional malware payloads such as Rhadamanthys.
Malware capabilities
Proofpoint’s research highlighted MonsterV2 as a common payload deployed by TA585, though the actor is not itself the developer of this malware. MonsterV2 was first observed for sale on hacking forums in February 2025. It is sold to various cybercriminal groups and not exclusive to TA585. MonsterV2 is a multi-functional tool with remote access trojan (RAT), stealer, and loader features, reflecting its higher cost compared to many peer malware families.
MonsterV2’s capabilities include exfiltrating sensitive information from compromised machines, such as browser history, login credentials, credit card details, cryptocurrency wallets, and tokens for platforms such as Steam, Telegram, or Discord. It can also display or record the system’s desktop and webcam, manipulate files, and perform a host of additional functions. The malware avoids infecting systems located in Commonwealth of Independent States (CIS) countries, a feature built into its configuration.
Developed in C++, Go, and TypeScript, MonsterV2 is under continual development. Its commercial price ranges from USD $800 per month for a “Standard” licence up to USD $2,000 per month for “Enterprise” versions, reflecting its broad set of malicious functionalities and ongoing maintenance. The malware uses self-written obfuscation techniques, a scalable architecture, and undergoes frequent updates. According to Proofpoint, it is “actively maintained and updated, featuring self-written obfuscation, robust architecture for scalability, and rigorous testing.”
Technical details
MonsterV2 is frequently protected with SonicCrypt, a C++ crypter specifically designed to impede malware analysis and enhance evasion. SonicCrypt adds junk code, performs environmental checks, and can attempt to bypass Windows security features such as User Account Control (UAC). Once executed, the malware decrypts its code using the ChaCha20 algorithm and seeks to establish persistence by requesting elevated system privileges and generating a unique system mutex.
The configuration for MonsterV2 is encrypted and decrypted at runtime, specifying operational parameters such as anti-debugging controls, persistence mechanisms, command and control (C2) server addresses, and cryptographic keys. Post-execution, the malware communicates with its C2 infrastructure over encrypted and compressed channels, and can perform a wide range of commands remotely, including launching further payloads, initiating hidden remote desktop sessions (HVNC), running keyloggers, and more. Proofpoint researchers listed its features as including “downloading and executing additional payloads (e.g., StealC Version 2, Remcos)”, and the ability for it to “receive and execute a wide variety of commands from its Command and Control (C2) server.”
The SonicCrypt crypter further attempts to ensure the malware’s persistence and stealth, sometimes adding the malicious file to Windows Defender exclusions and scheduling it via the Windows Task Scheduler.
Ongoing risks
TA585 stands out as a unique and sophisticated threat actor, demonstrating advanced capabilities in targeting, delivery, and malware installation. Its effective strategies, including custom web injects and filtering, highlight the evolving cybercrime landscape. MonsterV2, a multi-capability malware favoured by TA585 and other actors, exemplifies the trend of comprehensive malware families emerging to fill gaps in the criminal ecosystem. Proofpoint anticipates continued emergence of such sophisticated malware. To mitigate these threats, Proofpoint recommends training users to recognise the ClickFix technique and restricting non-administrative users from executing PowerShell commands.
