Post

Hacker Group TA585 Emerges With Advanced Attack Infrastructure

Posted
By ictsec.pl
1 min read

A newly identified cybercriminal group, TA585, has been uncovered by cybersecurity researchers for running one of the most autonomous and technically advanced operations in today’s threat landscape.

Discovered by the Proofpoint team, TA585 is a key distributor of MonsterV2, a premium malware family first advertised on underground forums in February 2025. Marketed as a remote access Trojan (RAT), stealer, and loader, MonsterV2 gives criminals the ability to steal data, monitor victims, and install additional payloads. Proofpoint noted that the malware avoids systems located in Commonwealth of Independent States (CIS) countries and is sold on a subscription basis. The “Standard” version costs $00 per month, while the “Enterprise” edition, which includes additional modules such as HVNC and Chrome Developer Tools access, is priced at $000 per month.

TA585’s early campaigns appeared in February 2025, masquerading as communications from the Internal Revenue Service (IRS) and Small Business Administration (SBA). These messages used the ClickFix technique, a social engineering method that persuades users to execute a PowerShell script manually. Doing so triggered a second script that ultimately installed MonsterV2. Unlike most threat actors that rely on external brokers or botnets, TA585 uses compromised websites to host malicious JavaScript.

Visitors are shown a fake CAPTCHA overlay prompting them to verify they are human. Behind the scenes, TA585’s systems run detailed filtering checks to ensure genuine user engagement before delivering the malware. MonsterV2 itself is written in C++, Go, and TypeScript, and features robust encryption and self-protection measures. Proofpoint’s analysis highlighted several key functions and capabilities, including: Data theft, including credentials, crypto wallets, and browser information; Remote desktop control through HVNC; Webcam recording and screenshot capture; Downloading and executing additional payloads.

To read the complete article see: Infosecurity Magazine

Apply for our next conference in Kuala Lumpur on December 9th and 10th, 2025 here with the passcode: “6f&%dX”, no quotes.

MALWARE
HACKING CYBERSECURITY TA585 MALWARE
This post is licensed under CC BY 4.0 by the author.