EXECUTIVE SUMMARY:
A newly observed threat actor, referred to as TA585, is emerging as a self-sufficient operation. Unlike many malicious groups that outsource portions of their attack chain, TA585 orchestrates its own infrastructure, delivery mechanisms, and malware deployment. Its favored payload, MonsterV2, possesses a wide range of intrusive capabilities and is utilized by multiple groups in parallel.
TA585 conducts its operations using compromised websites, injecting malicious JavaScript into legitimate pages to deliver payloads selectively to visitors. Its injection scheme frequently relies on a technique known as ClickFix, wherein users are tricked into executing commands under the guise of human verification. In some campaigns, the attacker also leverages GitHub-style notifications to bait victims toward malicious URLs. Once delivered, MonsterV2 is decrypted, configured, and executed. It requests system privileges and may deploy a unique mutex for process identification. Configuration data is encrypted via ChaCha20, compressed using zlib, and parsed in memory. MonsterV2 supports a wide set of features: credential theft, clipboard manipulation, hidden VNC remote control, arbitrary command execution, file operations, and payload download functionality all under commands issued by a command-and-control (C2) server. The malware also appears to exclude systems in certain countries. In many instances, the payload is wrapped or packed via a crypter, which implements anti-analysis techniques such as junk code, BIOS checks, and sandbox evasion before decrypting and deploying the core malware.
TA585 represents a notably threat actor that consolidates many parts of a typical attack chain from infrastructure creation to delivery to payload execution under its direct control. Its use of MonsterV2, a feature-rich malware adopted across multiple threat actors, underscores its flexibility and reach. It should remain vigilant for indicators associated with this campaign and adopt mitigations such as disabling non-privileged PowerShell execution, educating users about deceptive CAPTCHA techniques, and employing robust detection of through compromised web injects and filtering behavior.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1204.002 | User Execution | Malicious File | |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Discovery | T1083 | File and Directory Discovery | — |
| Collection | T1125 | Video Capture | — |
| T1005 | Data from Local System | — | |
| Command and Control | T1095 | Non-Application Layer Protocol | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: