When the monster bytes: tracking TA585 and its arsenal

October 14, 2025 Yanac

Key findings

TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware installation.
The actor demonstrates innovation in a constantly changing cybercrime threat landscape, with unique web injection campaigns and complicated filtering.
TA585 frequently delivers MonsterV2, a malware with numerous capabilities sold on cybercriminal forums. It is not sold by TA585, and has multiple cybercriminal customers.
MonsterV2 has capabilities of a remote access trojan (RAT), loader, and stealer. It avoids infecting computers in Commonwealth of Independent States (CIS) countries.

Overview

As the cybercrime landscape continues to innovate, new threat actors and capabilities are emerging. One new cybercriminal threat actor, TA585, operates with a high level of sophistication and delivers a variety of malware including the recently released MonsterV2.

MonsterV2 is advertised as a remote access trojan (RAT), stealer, and loader. It is expensive compared to its peer malware families, and used by only a small number of actors, including TA585. Proofpoint researchers first observed it sold on hacking forms in February 2025.

TA585 is notable because it appears to own its entire attack chain with multiple delivery techniques. Instead of leveraging other threat actors – like paying for distribution, buying access from initial access brokers, or using a third-party traffic delivery system – TA585 manages its own infrastructure, delivery, and malware installation. The evolution of cybercrime and its supporting ecosystem has made the threat landscape comparable to the modern job market and the “gig economy.” However, TA585 bucks that trend and owns and manages nearly all of its business model, except the final malware which is sourced from a MaaS (Malware as a Service) such as Lumma Stealer, Rhadamanthys or MonsterV2.

This report details both the newly named TA585 as well as the MonsterV2 malware, which is used by multiple actors. While TA585 is one customer of MonsterV2, it is not the malware author, and multiple threat actors use it in campaigns.

Campaign details

Government impersonation

Proofpoint first observed MonsterV2 in a late February 2025 campaign leveraging U.S. Internal Revenue Service (IRS) themed lures. Messages contained URLs linking to a PDF which would open in the browser. The PDF linked to a webpage that was using the ClickFix technique, a technique named by Proofpoint in June 2024, which lures visitors to manually run a malicious command in the Windows Run-box or PowerShell terminal.

SBA themed PDF.

IRS Themed ClickFix Landing leading to MonsterV2, observed on 26 February 2025.

ClickFix themed landing leading to MonsterV2.

If the user copied and pasted the PowerShell script as instructed, it executed a second PowerShell script ultimately leading to MonsterV2.

Proofpoint observed two more U.S. government-themed MonsterV2 campaigns in March 2025, one impersonating the IRS and a second impersonating the Small Business Administration. Both campaigns included less than 200 messages and mostly targeted finance and accounting firms. None of the campaigns are attributed to a tracked threat actor.

TA585 campaigns

In April 2025, Proofpoint researchers investigated an interesting vector: unique web injects and activity we named “CoreSecThree” based on domain names and infrastructure. The actor registers and maintains its own domain names and uses Cloudflare hosting infrastructure. Initial campaigns delivered Lumma Stealer, but the actor began using MonsterV2 in early May 2025.

TA585 activity is typically distributed via compromised websites. Proofpoint detects the threat by sandboxing URLs from business email messages that lead to legitimate websites that have been compromised to serve malware to selected visitors. Although neither the sender nor the site owner may intend harm, the websites have been compromised with a malicious JavaScript injection. This injection causes the website to load a malicious script which, in campaigns so far this year, is used to create an overlay of the compromised website to present a fake CAPTCHA (ClickFix) instructing users to verify they are human. Unlike some other web inject campaigns that rely on third-party traffic distribution systems, TA585 does its own filtering and checks to ensure a real person is receiving the payload.

Example TA585 JavaScript inject.

ClickFix overlay on compromised website.

This attack chain is able to react on the “Win+R” activity from the user with an actual “reaction” from the website upon completing it. Once the user clicks the “Verify you are human” they are prompted to complete the “Win+R” action:

“Verification” page owned by the threat actor.

Following the instructions will initiate a PowerShell command that downloads and executes malware. Meanwhile, the page starts beaconing repetitively to the lure server which will reply with: “Access denied” until the PowerShell script finishes downloading and running, and the malware is checking in to the payload server from the same IP address that is loading the web page. The user is then redirected to the actual website (with /?verified=true,).

Traffic on the compromised site; the user is redirected once their IP is confirmed.

Proofpoint has observed the above JavaScript inject and infrastructure (intlspring[.]com) delivering two different malware payloads: MonsterV2 and Rhadamanthys.

GitHub themed campaigns

While the majority of the TA585 malware payloads are distributed via web injects, Proofpoint has also observed it delivered via emails such as notifications from GitHub caused by the threat actor tagging GitHub users in fake security notices that contain URLs leading to actor-controlled websites. Third-party researchers have observed TA585 activity delivered via malvertising.

In August 2025, Proofpoint identified a unique TA585 attack chain leveraging GitHub notifications to deliver Rhadamanthys. We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began investigating.

We identified GitHub notification emails that kicked off the attack chain. The emails were likely generated by the threat actor creating an issue in an actor-controlled repository with a fake security warning and then tagging legitimate accounts who receive notifications that they have been tagged, with the text from the issue.

GitHub notification email generated by the threat actor.

The notifications contained shortened URLs that led to an actor-controlled website. Like TA585’s typical web inject campaigns, the website performed filtering functions, and if those checks were passed, the visitor will be redirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to verify they are human.

GitHub themed web page, using the typical CoreSecThree filtering and beaconing techniques.

Following the instructions initiated a command that downloaded and executed Rhadamanthys.

MonsterV2 malware details

MonsterV2 is advertised as a RAT, stealer, and loader. It is full-featured and has many capabilities that allow it to perform varying functions during a breach. Proofpoint has observed MonsterV2 acting either primarily as a stealer or as a loader, dropping malware such as StealC Version 2. While Proofpoint observes TA585 using MonsterV2, it is also used by other cybercriminal threat actors.

MonsterV2 has the following capabilities:

Able to enumerate and exfiltrate sensitive information such as browser and login data, credit card and crypto wallet information, login data, and tokens for services such as Steam, Telegram, and Discord, files and documents, as well as other data typical of infostealers
View the infected systems’ desktop and record the webcam
Clipper capabilities (essentially replacing cryptocurrency addresses in the infected systems’ clipboard with threat actor-provided addresses)
HVNC (Hidden Virtual Network Computing) – Allows the threat actor to establish a remote desktop-like connection to the infected system, giving graphical user interface access without alerting the user of the infected system
Receive and execute a wide variety of commands from its C2
Download and execute additional payloads
Avoids infecting CIS countries: Russia, Belarus, Ukraine, Kazakhstan, Uzbekistan, Turkmenistan, Kyrgyzstan, Armenia, Tajikistan, Moldova, Latvia, Lithuania, and Estonia

MonsterV2 has been advertised on criminal hacking forums, as seen in the following post excerpt:

MonsterV2 advertisement.

Here is an excerpt of the translation (from Russian, using Google Translate) of the original advertisement of MonsterV2:

Languages used in development: C++ for the client (build), Go and TypeScript for the server logic and panel
The build has built-in RAII wrappers over handles and pointers throughout to prevent memory leaks and UB
Wherever threads are used, the thread-safety concept is observed
Self-written obfuscator and source code generator through direct modification of AST
Build has no dependencies on various additionally installed runtimes and runs even on clean systems
Automatic privilege escalation and modern approaches to evade detection
Before release, the code is run through sanitizers, linters and autotests. Coverage close to 100%
Functionality testing of features is carried out on real machines under conditions as close as possible to «field» ones.
A professional approach to creating an architecture that ensures high scalability and performance
Current modules list: File Manager, Process Manager, Resident Loader, Webcam Recorder, Remote Desktop (HVNC), Remote CMD/PowerShell (read the description of each module below; the number of modules will increase as the project is updated)
To communicate with the C2 server, a raw TCP connection is used with a small add-on on top in the form of an exchange of encryption keys with two-way authentication (analogous to SSL/TLS)
If the connection is lost, the bot will try to restore the connection (reconnect)
The panel is written in a convenient and minimalistic style, so that users do not get distracted, but at the same time maintain good UX
The panel supports Russian and English localizations
Real-time UI updates
One-click installation and intuitive settings

The malware is sold in tiered options, with pricing for one week, two week, or month-long use. The “Standard” version costs $800 USD per month, while the “Enterprise” version that includes a stealer, loader, HVNC, and HCDP (Chrome developer tools) costs $2,000 per month. To compare that with another common stealer, Rhadamanthys is advertised for $199 per month.

Proofpoint has observed that MonsterV2 is actively being maintained and updated, even with minor and “cosmetic” updates. For example, Proofpoint identified the following string in earlier versions of the malware (with a misspelling of the word “terminate”):

Misspelled “terminate” string.

This was fixed in later versions of the malware:

Fixed string spelling.

Behavior

Analyst Note: Prior to execution, MonsterV2 may be decrypted and loaded via another malware called SonicCrypt. This crypter will be detailed later in this report.

Once executed on the target system, MonsterV2 executes the following actions:

Initialization

It first decrypts and resolves several Windows API functions it requires. Each library and function name string is decrypted using a unique ChaCha20 key, which complicates reverse engineering and static analysis. The ChaCha20 functionality is discussed later in this report.

Next, MonsterV2 attempts to elevate its privileges on the system by requesting many permissions, such as the following (this list is not exhaustive). These permissions also hint at the malware’s functionality:

SeDebugPrivilege – Processes that obtain this privilege are potentially able to read and modify the memory of other processes, elevate privileges and bypass security controls, among other things. This is a common privilege that malware may request
SeTakeOwnershipPrivilege – Processes with this privilege can modify object permissions and effectively bypass restrictions, commonly leveraged in privilege escalation scenarios
SeIncreaseBasePriorityPrivilege – Allows changing the base priority of a process, influencing its CPU scheduling
SeIncreaseWorkingSetPrivilege – Permits raising a process’s working set, allocating more physical memory for its operations, and improving performance
SeSecurityPrivilege – Required to view/edit the security event log
SeShutdownPrivilege – Lets processes shut down the system

Additionally, MonsterV2 will optionally create a mutex on the infected system, in the format “Mutant-<unique_id_64_characters>”. Here are a few examples:

Mutant-5B7C3E6F9D8A1F42BCDE0347FA8C9E12D13A4597628F6BD57C4E81A9670D3F5A
Mutant-A8F1D32C497EB560C9A21D87F34EB70591D2C864EAF53BD7906C12F8D4E39BAF
Mutant-93D8FE2065BCA71BEF2486AD7FA0C935ECC27104ABF9E6531875F22CB40D9E8F

This mutex creation and format is a good indicator for threat hunting.

Configuration decryption

MonsterV2 then decrypts its config, which is stored as an encrypted blob in the binary. The config is decrypted using ChaCha20, and then decompressed using an embedded ZLib decompression library. The malware seems to make use of the LibSodium (https://doc[.]libsodium[.]org/) library for encryption/decryption.

Below are some examples of a decrypted MonsterV2 configuration:

MonsterV2 config examples.

In a later sample we analyzed, MonsterV2 supported multiple C2s also in the form of domains instead of just IP addresses:

MonsterV2 config example, with four C2 domains.

The configuration consists of the following values:

Value

Description

anti_dbg

If set to “True”, the malware attempts to detect and evade debuggers in use. In the samples we analyzed, we did not witness this value being anything other than “False”

anti_sandbox

If set to “True”, the malware attempts to detect sandboxes and execute some rudimentary anti-sandbox techniques. In the samples we analyzed, we did not witness this value being anything other than “False”

aurotun (misspelling of “autorun”)

If set to “True”, the malware attempts to establish persistence

build_name

The build name of the malware, which could be used to cluster campaigns and potentially threat actors

disable_mutex

If set to “True”, the malware does not create a mutex on the host

ip / port

The C2 IP and Port. The IP field can consist of multiple IP addresses or domains

priviledge_escalation (another misspelling)

If set to “True”, the malware attempts to elevate its privileges

kx_pk / seal_pk / sign_pk

Keys or key material likely related to encryption, authentication, and integrity of communication between the C2 server and malware client. See also section “Gather System Information” later.

As mentioned, the config is decrypted using ChaCha20. The overall process looks as follows:

The malware reads the first 32 bytes prior to its config (the header) and this is used as key material to generate the ChaCha20 decryption key.
This key material is combined with hardcoded “master key” data embedded in the malware which is used to derive the ChaCha20 decryption key and nonce.
ChaCha20 is initialized to decrypt the config. ChaCha20 can be identified in memory via the constant “expand 32-byte k”, and the resulting ChaCha20 key, counter, and nonce can be seen in memory after the constant:

In this image, we can see the ChaCha20 initialization constant (1), and Key (2), and counter + Nonce (3).

4. The encrypted config blob is decrypted using the derived ChaCha20 key and nonce. The resulting decrypted config blob is ZLib-compressed (78 9C is a typical ZLib header):

Decrypted config blob in memory

5. The compressed config blob is then decompressed in memory, resulting in the config:

Cleartext config in memory.

Here is a Python script that decrypts a MonsterV2 config using a provided key and nonce:

Gather system information

After MonsterV2 decrypts its config, it attempts to reach out to its C2 server. It will continue to attempt this connection until there is a successful connection to the C2 or the malware process terminates. After connecting to its C2, it sends the following information:

Value

Description

version

The version of the MonsterV2 malware

build_name

The build name of the malware, from the config

Likely a public key or key material used for secure communication between the malware client and the C2

Possibly used as integrity protection for data being sent to the C2, to ensure data is not manipulated prior to or during transit to and from the C2

geo

The geolocation of the infected system, for example “BR” for Brazil

sign

Possibly used along with the “ad” to support authentication and data integrity.

compression

Possibly used to inform the C2 of the data compression methods supported by the infected system

The operating system version

uuid

A unique ID assigned to the infected system, which is the same as the Mutex value we discussed previously

os_name

The operating system of the infected system

user_name

The username of the infected system

computer_name

The computer name of the infected system

The external IP address of the infected system

This data is stored in stack memory as a structure and then later base-64 encoded and sent to the C2 server.

The struct containing the initial data sent to the C2.

Command & control

Prior to connecting to the C2, the malware reaches out to api[.]ipify[.]org to get the infected system’s IP/location and likely as an internet connection test. If this is successful, the malware sends an initial connect request to its C2. Following this, the malware sends the previously gathered infected system’s information to the C2 (see Gather System Information section).

Responses from the C2 may be intentionally bloated and can be several megabytes. The C2 responses can contain command and control instructions to issue commands to the client, or can consist of another payload (more on this later). Based on code analysis, C2 commands seem to be processed in the following manner:

C2 response is received via a raw socket, using the WSARecv Windows API function.
The received data is Base64-decoded, decrypted using the ChaCha20 algorithm, and ZLib-decompressed (similar to the config decryption that we outlined previously).
The data is formatted and processed into a JSON-like structure. This structure differs depending on the command the C2 controller sends, but here is a generalized example of the structure:

The “flags” member may contain various flags or other data related to the command. The “data” member may contain payload data that supports the command. For example, for the C2 commands related to file operations, this payload may contain a list of file paths.

4. The processed commands and data are dispatched to a command handler function.

The malware’s command handler function supports a large number of commands from the C2 server. These commands include, but are not limited to, the following:

Terminate the malware’s process and clean up (delete its files and mutex, etc.)
Execute infostealer functionality and exfiltrate data to the C2
Execute an arbitrary command line command (cmd[.]exe, PowerShell commands)
Terminate, suspend, and resume target processes. This potentially could be used for evading endpoint defenses
Establish an HVNC connection to the infected system’s system
Take screenshots of the infected system’s desktop
Start a keylogger
Enumerate, manipulate, copy, and exfiltrate files
Shut down or crash (BSOD) the infected system
Download and execute another payload

Delivery and loading of additional payloads

Proofpoint witnessed in multiple occasions MonsterV2 loading the StealC V2 infostealer as well as the Remcos remote access trojan (RAT). This activity was not correlated with TA585, however. Notably with StealC, the MonsterV2 payloads were configured to use the same C2 server as the dropped StealC payload.

SonicCrypt crypter details

Proofpoint has observed that MonsterV2 is often packed using SonicCrypt, a crypter written in C++ advertised on forum[.]exploit[.]in:

SonicCrypt advertisement.

Here is the translation of the above (provided by Google Translate):

Modern technological crypt with many functions, prompt cleaning and professional support. I present to you a new level of crypts for any budget. Crypt provides a wide range of functions to choose from:

Written in modern C++ with a custom source code mutator that allows you to clean signatures in the blink of an eye
Support for adding your file to startup
Support for adding your file to Windows Defender exceptions
If your file requires administrator rights to work, the crypt supports the ability to bypass UAC
Runs both native and .NET files
Both bit depths are supported: 32 and 64-bit
Competent support will help you decide on the choice of configuration for your unique traffic source
The crypt does not cut the percentage of the knockout and does not interfere with the operation of the encrypted file
Usually the crypt process takes no more than 30 minutes, but in exceptional cases it can reach 12 hours
Supported crypt customizations: icon, manifest, Assembly Info, inflation (pump)

Rates:

Public $ 50 – Standard file crypt. Stab is designed for 5-7 clients, without a warranty period. Possible functionality: icon, manifest, Assembly Info, bloat (pump), UAC Bypass
Private $100 – Private crypt file. The stab is designed for a maximum of 3 people; the warranty period for the stab, when you can ask for a recrypt, is 4 days. All the advantages of the Public tariff + autorun + Windows Defender exceptions
Unique $150 – Unique crypt file. The stab is designed for a maximum of 1 person, the warranty period for the stab is 6 days. All the advantages of Private, but each client receives a unique stab

Malware analysis

SonicCrypt-packed executables are intentionally bloated and therefore contain a lot of junk code, making it difficult to statically analyze. Across SonicCrypt samples, this code is inconsistent and is likely generated to evade static detection:

An example of junk code in SonicCrypt-protected binaries.

The general flow of the malware can be seen in the following code examples:

Runs initial evasion and environment checks (more on this in a moment).
Creates the file where the decrypted payload will be written. The file is named in a similar theme, such as “WinHealth[.]exe” or “WindowsSecurity[.]exe”.
The payload is decrypted and written to this file.
In the samples we analyzed, the payload is executed using the task scheduler.

Here are two code examples demonstrating this behavior.

Example 1:

Example 2:

Anti-analysis checks

Before decrypting and loading its payload, SonicCrypt runs through several checks, including:

Checking amount of RAM
Checks the infected systems’ BIOS manufacturer (in some cases “GenuineIntel” or “AuthenticAMD”)
Some samples check the BIOS version as well
Depending on configuration, SonicCrypt may attempt to add the dropped Exe file as a Defender exclusion.

A code example of SonicCrypt gathering BIOS data.

After these checks are passed, the crypter decrypts the payload, writes it to a file on disk, and executes the payload executable via the TaskScheduler COM object (CLSID: CLSID_TaskScheduler). The process behavior tree will look as follows:

Example MonsterV2 process tree.

Conclusion

TA585 is a unique threat actor with advanced capabilities for targeting and delivery. As the cybercrime threat landscape is constantly changing, TA585 has adopted effective strategies for filtering, delivery, and malware installation. One of its favored payloads is MonsterV2, a malware that may be filling gaps in the criminal ecosystem following high profile law enforcement disruptions of other malware like Lumma Stealer. Proofpoint anticipates we will continue to see new malware families emerge, many of which contain a variety of capabilities baked into one malware.

Proofpoint recommends training users to recognize the ClickFix technique and to prevent non-administrative users from executing PowerShell.

Emerging Threats rule

2061200 – MonsterV2 Stealer CnC Checkin

Indicators of compromise

Indicators

Description

First Seen

SHA256: ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67

C2: 139.180.160[.]173

Port: 7712