{
	"id": "6f174eb6-54b2-41fc-ade7-7ce1ab15761b",
	"created_at": "2026-04-06T00:16:57.521881Z",
	"updated_at": "2026-04-10T13:11:32.280388Z",
	"deleted_at": null,
	"sha1_hash": "71a95b439623b661cdc8471148877cac8be199df",
	"title": "When the monster bytes: tracking TA585 and its arsenal | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8303850,
	"plain_text": "When the monster bytes: tracking TA585 and its arsenal |\r\nProofpoint US\r\nBy Kyle Cucci, Tommy Madjar, Selena Larson, and the Proofpoint Threat Research Team\r\nPublished: 2025-10-03 · Archived: 2026-04-05 13:57:46 UTC\r\nKey findings \r\nTA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire\r\nattack chain from infrastructure to email delivery to malware installation. \r\nThe actor demonstrates innovation in a constantly changing cybercrime threat landscape, with unique web\r\ninjection campaigns and complicated filtering.  \r\nTA585 frequently delivers MonsterV2, a malware with numerous capabilities sold on cybercriminal\r\nforums. It is not sold by TA585, and has multiple cybercriminal customers. \r\nMonsterV2 has capabilities of a remote access trojan (RAT), loader, and stealer. It avoids infecting\r\ncomputers in Commonwealth of Independent States (CIS) countries. \r\nOverview  \r\nAs the cybercrime landscape continues to innovate, new threat actors and capabilities are emerging. One new\r\ncybercriminal threat actor, TA585, operates with a high level of sophistication and delivers a variety of malware\r\nincluding the recently released MonsterV2.  \r\nMonsterV2 is advertised as a remote access trojan (RAT), stealer, and loader. It is expensive compared to its peer\r\nmalware families, and used by only a small number of actors, including TA585. Proofpoint researchers first\r\nobserved it sold on hacking forms in February 2025. \r\nTA585 is notable because it appears to own its entire attack chain with multiple delivery techniques. Instead of\r\nleveraging other threat actors – like paying for distribution, buying access from initial access brokers, or using a\r\nthird-party traffic delivery system – TA585 manages its own infrastructure, delivery, and malware installation. The\r\nevolution of cybercrime and its supporting ecosystem has made the threat landscape comparable to the modern job\r\nmarket and the “gig economy.” However, TA585 bucks that trend and owns and manages nearly all of its business\r\nmodel, except the final malware which is sourced from a MaaS (Malware as a Service) such as Lumma Stealer,\r\nRhadamanthys or MonsterV2.\r\nThis report details both the newly named TA585 as well as the MonsterV2 malware, which is used by multiple\r\nactors. While TA585 is one customer of MonsterV2, it is not the malware author, and multiple threat actors use it\r\nin campaigns. \r\nCampaign details \r\nGovernment impersonation \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 1 of 23\n\nProofpoint first observed MonsterV2 in a late February 2025 campaign leveraging U.S. Internal Revenue Service\r\n(IRS) themed lures. Messages contained URLs linking to a PDF which would open in the browser. The PDF\r\nlinked to a webpage that was using the ClickFix technique, a technique named by Proofpoint in June 2024, which\r\nlures visitors to manually run a malicious command in the Windows Run-box or PowerShell terminal.\r\n \r\nSBA themed PDF. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 2 of 23\n\nIRS Themed ClickFix Landing leading to MonsterV2, observed on 26 February 2025.  \r\nClickFix themed landing leading to MonsterV2.  \r\nIf the user copied and pasted the PowerShell script as instructed, it executed a second PowerShell script ultimately\r\nleading to MonsterV2. \r\nProofpoint observed two more U.S. government-themed MonsterV2 campaigns in March 2025, one impersonating\r\nthe IRS and a second impersonating the Small Business Administration. Both campaigns included less than 200\r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 3 of 23\n\nmessages and mostly targeted finance and accounting firms. None of the campaigns are attributed to a tracked\r\nthreat actor.  \r\nTA585 campaigns \r\nIn April 2025, Proofpoint researchers investigated an interesting vector: unique web injects and activity we named\r\n“CoreSecThree” based on domain names and infrastructure. The actor registers and maintains its own domain\r\nnames and uses Cloudflare hosting infrastructure. Initial campaigns delivered Lumma Stealer, but the actor began\r\nusing MonsterV2 in early May 2025. \r\nTA585 activity is typically distributed via compromised websites. Proofpoint detects the threat by sandboxing\r\nURLs from business email messages that lead to legitimate websites that have been compromised to serve\r\nmalware to selected visitors.  Although neither the sender nor the site owner may intend harm, the websites have\r\nbeen compromised with a malicious JavaScript injection. This injection causes the website to load a malicious\r\nscript which, in campaigns so far this year, is used to create an overlay of the compromised website to present a\r\nfake CAPTCHA (ClickFix) instructing users to verify they are human. Unlike some other web inject campaigns\r\nthat rely on third-party traffic distribution systems, TA585 does its own filtering and checks to ensure a real person\r\nis receiving the payload. \r\nExample TA585 JavaScript inject.  \r\nClickFix overlay on compromised website. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 4 of 23\n\nThis attack chain is able to react on the “Win+R” activity from the user with an actual “reaction” from the website\r\nupon completing it. Once the user clicks the “Verify you are human” they are prompted to complete the “Win+R”\r\naction: \r\n             \r\n“Verification” page owned by the threat actor. \r\nFollowing the instructions will initiate a PowerShell command that downloads and executes malware. Meanwhile,\r\nthe page starts beaconing repetitively to the lure server which will reply with: “Access denied” until the\r\nPowerShell script finishes downloading and running, and the malware is checking in to the payload server from\r\nthe same IP address that is loading the web page. The user is then redirected to the actual website (with /?\r\nverified=true,). \r\nTraffic on the compromised site; the user is redirected once their IP is confirmed. \r\nProofpoint has observed the above JavaScript inject and infrastructure (intlspring[.]com) delivering two different\r\nmalware payloads: MonsterV2 and Rhadamanthys.  \r\nGitHub themed campaigns \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 5 of 23\n\nWhile the majority of the TA585 malware payloads are distributed via web injects, Proofpoint has also observed it\r\ndelivered via emails such as notifications from GitHub caused by the threat actor tagging GitHub users in fake\r\nsecurity notices that contain URLs leading to actor-controlled websites. Third-party researchers have observed\r\nTA585 activity delivered via malvertising. \r\nIn August 2025, Proofpoint identified a unique TA585 attack chain leveraging GitHub notifications to deliver\r\nRhadamanthys. We first spotted this post by ANY.RUN about ClickFix delivering Rhadamanthys and began\r\ninvestigating.  \r\nWe identified GitHub notification emails that kicked off the attack chain. The emails were likely generated by the\r\nthreat actor creating an issue in an actor-controlled repository with a fake security warning and then tagging\r\nlegitimate accounts who receive notifications that they have been tagged, with the text from the issue.  \r\nGitHub notification email generated by the threat actor. \r\nThe notifications contained shortened URLs that led to an actor-controlled website. Like TA585’s typical web\r\ninject campaigns, the website performed filtering functions, and if those checks were passed, the visitor will be\r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 6 of 23\n\nredirected to a website that presents a fake GitHub-branded CAPTCHA instructing users to verify they are\r\nhuman. \r\nGitHub themed web page, using the typical CoreSecThree filtering and beaconing techniques. \r\nFollowing the instructions initiated a command that downloaded and executed Rhadamanthys.  \r\nMonsterV2 malware details \r\nMonsterV2 is advertised as a RAT, stealer, and loader. It is full-featured and has many capabilities that allow it to\r\nperform varying functions during a breach. Proofpoint has observed MonsterV2 acting either primarily as a stealer\r\nor as a loader, dropping malware such as StealC Version 2. While Proofpoint observes TA585 using MonsterV2, it\r\nis also used by other cybercriminal threat actors.  \r\nMonsterV2 has the following capabilities: \r\nAble to enumerate and exfiltrate sensitive information such as browser and login data, credit card and\r\ncrypto wallet information, login data, and tokens for services such as Steam, Telegram, and Discord, files\r\nand documents, as well as other data typical of infostealers  \r\nView the infected systems’ desktop and record the webcam \r\nClipper capabilities (essentially replacing cryptocurrency addresses in the infected systems’ clipboard with\r\nthreat actor-provided addresses) \r\nHVNC (Hidden Virtual Network Computing) – Allows the threat actor to establish a remote desktop-like\r\nconnection to the infected system, giving graphical user interface access without alerting the user of the\r\ninfected system \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 7 of 23\n\nReceive and execute a wide variety of commands from its C2 \r\nDownload and execute additional payloads \r\nAvoids infecting CIS countries: Russia, Belarus, Ukraine, Kazakhstan, Uzbekistan, Turkmenistan,\r\nKyrgyzstan, Armenia, Tajikistan, Moldova, Latvia, Lithuania, and Estonia \r\nMonsterV2 has been advertised on criminal hacking forums, as seen in the following post excerpt: \r\nMonsterV2 advertisement. \r\nHere is an excerpt of the translation (from Russian, using Google Translate) of the original advertisement of\r\nMonsterV2: \r\nLanguages used in development: C++ for the client (build), Go and TypeScript for the server logic and\r\npanel \r\nThe build has built-in RAII wrappers over handles and pointers throughout to prevent memory leaks and\r\nUB \r\nWherever threads are used, the thread-safety concept is observed \r\nSelf-written obfuscator and source code generator through direct modification of AST \r\nBuild has no dependencies on various additionally installed runtimes and runs even on clean systems \r\nAutomatic privilege escalation and modern approaches to evade detection \r\nBefore release, the code is run through sanitizers, linters and autotests. Coverage close to 100% \r\nFunctionality testing of features is carried out on real machines under conditions as close as possible to\r\n«field» ones. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 8 of 23\n\nA professional approach to creating an architecture that ensures high scalability and performance \r\nCurrent modules list: File Manager, Process Manager, Resident Loader, Webcam Recorder, Remote\r\nDesktop (HVNC), Remote CMD/PowerShell (read the description of each module below; the number of\r\nmodules will increase as the project is updated) \r\nTo communicate with the C2 server, a raw TCP connection is used with a small add-on on top in the form\r\nof an exchange of encryption keys with two-way authentication (analogous to SSL/TLS) \r\nIf the connection is lost, the bot will try to restore the connection (reconnect) \r\nThe panel is written in a convenient and minimalistic style, so that users do not get distracted, but at the\r\nsame time maintain good UX \r\nThe panel supports Russian and English localizations \r\nReal-time UI updates \r\nOne-click installation and intuitive settings \r\nThe malware is sold in tiered options, with pricing for one week, two week, or month-long use. The “Standard”\r\nversion costs $800 USD per month, while the “Enterprise” version that includes a stealer, loader, HVNC, and\r\nHCDP (Chrome developer tools) costs $2,000 per month. To compare that with another common stealer,\r\nRhadamanthys is advertised for $199 per month. \r\nProofpoint has observed that MonsterV2 is actively being maintained and updated, even with minor and\r\n“cosmetic” updates. For example, Proofpoint identified the following string in earlier versions of the malware\r\n(with a misspelling of the word “terminate”): \r\n  Misspelled “terminate” string. \r\nThis was fixed in later versions of the malware: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 9 of 23\n\nFixed string spelling. \r\nBehavior \r\nAnalyst Note: Prior to execution, MonsterV2 may be decrypted and loaded via another malware called\r\nSonicCrypt. This crypter will be detailed later in this report. \r\nOnce executed on the target system, MonsterV2 executes the following actions: \r\nInitialization \r\nIt first decrypts and resolves several Windows API functions it requires. Each library and function name string is\r\ndecrypted using a unique ChaCha20 key, which complicates reverse engineering and static analysis. The\r\nChaCha20 functionality is discussed later in this report. \r\nNext, MonsterV2 attempts to elevate its privileges on the system by requesting many permissions, such as the\r\nfollowing (this list is not exhaustive). These permissions also hint at the malware’s functionality: \r\nSeDebugPrivilege - Processes that obtain this privilege are potentially able to read and modify the memory\r\nof other processes, elevate privileges and bypass security controls, among other things. This is a common\r\nprivilege that malware may request \r\nSeTakeOwnershipPrivilege – Processes with this privilege can modify object permissions and effectively\r\nbypass restrictions, commonly leveraged in privilege escalation scenarios \r\nSeIncreaseBasePriorityPrivilege - Allows changing the base priority of a process, influencing its CPU\r\nscheduling \r\nSeIncreaseWorkingSetPrivilege - Permits raising a process’s working set, allocating more physical memory\r\nfor its operations, and improving performance \r\nSeSecurityPrivilege - Required to view/edit the security event log \r\nSeShutdownPrivilege - Lets processes shut down the system \r\nAdditionally, MonsterV2 will optionally create a mutex on the infected system, in the format “Mutant-\r\n\u003cunique_id_64_characters\u003e”. Here are a few examples: \r\nMutant-5B7C3E6F9D8A1F42BCDE0347FA8C9E12D13A4597628F6BD57C4E81A9670D3F5A \r\nMutant-A8F1D32C497EB560C9A21D87F34EB70591D2C864EAF53BD7906C12F8D4E39BAF \r\nMutant-93D8FE2065BCA71BEF2486AD7FA0C935ECC27104ABF9E6531875F22CB40D9E8F \r\nThis mutex creation and format is a good indicator for threat hunting. \r\nConfiguration decryption \r\nMonsterV2 then decrypts its config, which is stored as an encrypted blob in the binary. The config is decrypted\r\nusing ChaCha20, and then decompressed using an embedded ZLib decompression library. The malware seems to\r\nmake use of the LibSodium (https://doc[.]libsodium[.]org/) library for encryption/decryption. \r\nBelow are some examples of a decrypted MonsterV2 configuration: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 10 of 23\n\nMonsterV2 config examples. \r\nIn a later sample we analyzed, MonsterV2 supported multiple C2s also in the form of domains instead of just IP\r\naddresses: \r\nMonsterV2 config example, with four C2 domains. \r\nThe configuration consists of the following values: \r\nValue  Description \r\nanti_dbg \r\nIf set to “True”, the malware attempts to detect and evade debuggers in use. In\r\nthe samples we analyzed, we did not witness this value being anything other\r\nthan “False” \r\nanti_sandbox \r\nIf set to “True”, the malware attempts to detect sandboxes and execute some\r\nrudimentary anti-sandbox techniques. In the samples we analyzed, we did not\r\nwitness this value being anything other than “False” \r\naurotun (misspelling of\r\n“autorun”) \r\nIf set to “True”, the malware attempts to establish persistence \r\nbuild_name \r\nThe build name of the malware, which could be used to cluster campaigns\r\nand potentially threat actors \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 11 of 23\n\ndisable_mutex  If set to “True”, the malware does not create a mutex on the host \r\nip / port \r\nThe C2 IP and Port. The IP field can consist of multiple IP addresses or\r\ndomains \r\npriviledge_escalation\r\n(another misspelling) \r\nIf set to “True”, the malware attempts to elevate its privileges \r\nkx_pk / seal_pk / sign_pk \r\nKeys or key material likely related to encryption, authentication, and integrity\r\nof communication between the C2 server and malware client. See also section\r\n“Gather System Information” later. \r\nAs mentioned, the config is decrypted using ChaCha20. The overall process looks as follows: \r\n1. The malware reads the first 32 bytes prior to its config (the header) and this is used as key material to\r\ngenerate the ChaCha20 decryption key.\r\n2. This key material is combined with hardcoded “master key” data embedded in the malware which is used\r\nto derive the ChaCha20 decryption key and nonce.\r\n3. ChaCha20 is initialized to decrypt the config. ChaCha20 can be identified in memory via the constant\r\n“expand 32-byte k”, and the resulting ChaCha20 key, counter, and nonce can be seen in memory after the\r\nconstant:\r\nIn this image, we can see the ChaCha20 initialization constant (1), and Key (2), and counter + Nonce (3).\r\n4.  The encrypted config blob is decrypted using the derived ChaCha20 key and nonce. The resulting decrypted\r\nconfig blob is ZLib-compressed (78 9C is a typical ZLib header):\r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 12 of 23\n\nDecrypted config blob in memory\r\n5.  The compressed config blob is then decompressed in memory, resulting in the config:\r\nCleartext config in memory. \r\nHere is a Python script that decrypts a MonsterV2 config using a provided key and nonce: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 13 of 23\n\nGather system information \r\nAfter MonsterV2 decrypts its config, it attempts to reach out to its C2 server. It will continue to attempt this\r\nconnection until there is a successful connection to the C2 or the malware process terminates. After connecting to\r\nits C2, it sends the following information: \r\nValue  Description \r\nversion  The version of the MonsterV2 malware \r\nbuild_name  The build name of the malware, from the config \r\npk \r\nLikely a public key or key material used for secure communication between the malware\r\nclient and the C2 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 14 of 23\n\nad \r\nPossibly used as integrity protection for data being sent to the C2, to ensure data is not\r\nmanipulated prior to or during transit to and from the C2 \r\ngeo  The geolocation of the infected system, for example “BR” for Brazil \r\nsign  Possibly used along with the “ad” to support authentication and data integrity. \r\ncompression \r\nPossibly used to inform the C2 of the data compression methods supported by the infected\r\nsystem \r\nos  The operating system version \r\nuuid \r\nA unique ID assigned to the infected system, which is the same as the Mutex value we\r\ndiscussed previously \r\nos_name  The operating system of the infected system \r\nuser_name  The username of the infected system \r\ncomputer_name  The computer name of the infected system \r\nip  The external IP address of the infected system \r\nThis data is stored in stack memory as a structure and then later base-64 encoded and sent to the C2 server.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 15 of 23\n\nThe struct containing the initial data sent to the C2. \r\nCommand \u0026 control \r\nPrior to connecting to the C2, the malware reaches out to api[.]ipify[.]org to get the infected system’s IP/location\r\nand likely as an internet connection test. If this is successful, the malware sends an initial connect request to its\r\nC2. Following this, the malware sends the previously gathered infected system’s information to the C2 (see Gather\r\nSystem Information section). \r\nResponses from the C2 may be intentionally bloated and can be several megabytes. The C2 responses can contain\r\ncommand and control instructions to issue commands to the client, or can consist of another payload (more on this\r\nlater). Based on code analysis, C2 commands seem to be processed in the following manner: \r\n1. C2 response is received via a raw socket, using the WSARecv Windows API function.\r\n2. The received data is Base64-decoded, decrypted using the ChaCha20 algorithm, and ZLib-decompressed\r\n(similar to the config decryption that we outlined previously).\r\n3. The data is formatted and processed into a JSON-like structure. This structure differs depending on the\r\ncommand the C2 controller sends, but here is a generalized example of the structure:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 16 of 23\n\nThe “flags” member may contain various flags or other data related to the command. The “data” member may\r\ncontain payload data that supports the command. For example, for the C2 commands related to file operations,\r\nthis payload may contain a list of file paths.  \r\n4.  The processed commands and data are dispatched to a command handler function.\r\nThe malware’s command handler function supports a large number of commands from the C2 server. These\r\ncommands include, but are not limited to, the following: \r\nTerminate the malware’s process and clean up (delete its files and mutex, etc.) \r\nExecute infostealer functionality and exfiltrate data to the C2 \r\nExecute an arbitrary command line command (cmd[.]exe, PowerShell commands) \r\nTerminate, suspend, and resume target processes. This potentially could be used for evading endpoint\r\ndefenses \r\nEstablish an HVNC connection to the infected system’s system \r\nTake screenshots of the infected system’s desktop \r\nStart a keylogger \r\nEnumerate, manipulate, copy, and exfiltrate files \r\nShut down or crash (BSOD) the infected system \r\nDownload and execute another payload \r\nDelivery and loading of additional payloads  \r\nProofpoint witnessed in multiple occasions MonsterV2 loading the StealC V2 infostealer as well as the Remcos\r\nremote access trojan (RAT). This activity was not correlated with TA585, however. Notably with StealC, the\r\nMonsterV2 payloads were configured to use the same C2 server as the dropped StealC payload.  \r\nSonicCrypt crypter details \r\nProofpoint has observed that MonsterV2 is often packed using SonicCrypt, a crypter written in C++ advertised on\r\nforum[.]exploit[.]in: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 17 of 23\n\nSonicCrypt advertisement. \r\nHere is the translation of the above (provided by Google Translate): \r\nModern technological crypt with many functions, prompt cleaning and professional support. I present to you a\r\nnew level of crypts for any budget. Crypt provides a wide range of functions to choose from: \r\nWritten in modern C++ with a custom source code mutator that allows you to clean signatures in the blink\r\nof an eye \r\nSupport for adding your file to startup \r\nSupport for adding your file to Windows Defender exceptions \r\nIf your file requires administrator rights to work, the crypt supports the ability to bypass UAC \r\nRuns both native and .NET files \r\nBoth bit depths are supported: 32 and 64-bit \r\nCompetent support will help you decide on the choice of configuration for your unique traffic source \r\nThe crypt does not cut the percentage of the knockout and does not interfere with the operation of the\r\nencrypted file \r\nUsually the crypt process takes no more than 30 minutes, but in exceptional cases it can reach 12 hours \r\nSupported crypt customizations: icon, manifest, Assembly Info, inflation (pump) \r\nRates: \r\nPublic $ 50 - Standard file crypt. Stab is designed for 5-7 clients, without a warranty period. Possible\r\nfunctionality: icon, manifest, Assembly Info, bloat (pump), UAC Bypass \r\nPrivate $100 - Private crypt file. The stab is designed for a maximum of 3 people; the warranty period for the\r\nstab, when you can ask for a recrypt, is 4 days. All the advantages of the Public tariff + autorun + Windows\r\nDefender exceptions \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 18 of 23\n\nUnique $150 - Unique crypt file. The stab is designed for a maximum of 1 person, the warranty period for the stab\r\nis 6 days. All the advantages of Private, but each client receives a unique stab \r\nMalware analysis \r\nSonicCrypt-packed executables are intentionally bloated and therefore contain a lot of junk code, making it\r\ndifficult to statically analyze. Across SonicCrypt samples, this code is inconsistent and is likely generated to evade\r\nstatic detection: \r\nAn example of junk code in SonicCrypt-protected binaries. \r\nThe general flow of the malware can be seen in the following code examples: \r\n1. Runs initial evasion and environment checks (more on this in a moment). \r\n2. Creates the file where the decrypted payload will be written. The file is named in a similar theme, such as\r\n“WinHealth[.]exe” or “WindowsSecurity[.]exe”. \r\n3. The payload is decrypted and written to this file. \r\n4. In the samples we analyzed, the payload is executed using the task scheduler. \r\nHere are two code examples demonstrating this behavior. \r\nExample 1: \r\nExample 2: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 19 of 23\n\nAnti-analysis checks \r\nBefore decrypting and loading its payload, SonicCrypt runs through several checks, including: \r\nChecking amount of RAM \r\nChecks the infected systems’ BIOS manufacturer (in some cases “GenuineIntel” or “AuthenticAMD”) \r\nSome samples check the BIOS version as well  \r\nDepending on configuration, SonicCrypt may attempt to add the dropped Exe file as a Defender exclusion. \r\nA code example of SonicCrypt gathering BIOS data. \r\nAfter these checks are passed, the crypter decrypts the payload, writes it to a file on disk, and executes the payload\r\nexecutable via the TaskScheduler COM object (CLSID: CLSID_TaskScheduler). The process behavior tree will\r\nlook as follows:  \r\n Example MonsterV2 process tree.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 20 of 23\n\nConclusion \r\nTA585 is a unique threat actor with advanced capabilities for targeting and delivery. As the cybercrime threat\r\nlandscape is constantly changing, TA585 has adopted effective strategies for filtering, delivery, and malware\r\ninstallation. One of its favored payloads is MonsterV2, a malware that may be filling gaps in the criminal\r\necosystem following high profile law enforcement disruptions of other malware like Lumma Stealer. Proofpoint\r\nanticipates we will continue to see new malware families emerge, many of which contain a variety of capabilities\r\nbaked into one malware. \r\nProofpoint recommends training users to recognize the ClickFix technique and to prevent non-administrative users\r\nfrom executing PowerShell.  \r\nEmerging Threats rule \r\n2061200 – MonsterV2 Stealer CnC Checkin \r\nIndicators of compromise \r\nIndicators  Description \r\nFirst\r\nSeen \r\nSHA256:\r\nccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67 \r\nC2: 139.180.160[.]173 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n02-22 \r\nSHA256:\r\n666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e \r\nC2: 155.138.150[.]12 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n03-08 \r\nSHA256:\r\n7cd1fd7f526d4f85771e3b44f5be064b24fbb1e304148bbac72f95114a13d8c5 \r\nC2: 83.217.208[.]77: \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n05-12 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 21 of 23\n\nSHA256:\r\n0e83e8bfa61400e2b544190400152a54d3544bf31cfec9dda21954a79cf581e9 \r\nC2: 83.217.208[.]77 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n05-19 \r\nSHA256:\r\nd221bf1318b8c768a6d824e79c9e87b488c1ae632b33848b638e6b2d4c76182b \r\nC2: 91.200.14[.]69 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n05-26 \r\nSHA256:\r\n69e9c41b5ef6c33b5caff67ffd3ad0ddd01a799f7cde2b182df3326417dfb78e \r\nC2: 212.102.255[.]102 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n06-02 \r\nSHA256:\r\n6237f91240abdbe610a8201c9d55a565aabd2419ecbeb3cd4fe387982369f4ae \r\nC2: 84.200.154[.]105 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025 –\r\n06 -\r\n09 \r\nSHA256:\r\nb36aac2ea25afd2010d987de524f9fc096bd3e1b723d615a2d85d20c52d2a711 \r\nC2: 144.172.117[.]158 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n06-16 \r\nSHA256:\r\n912ef177e319b5010a709a1c7143f854e5d1220d176bc130c5564f5efe8145ed \r\nC2: 109.120.137[.]128: \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n06-23 \r\nSHA256:\r\nba72e8024c90aeffbd56cdf2ab9033a323b63c83bd5df19268978cded466214e \r\nC2: 84.200.17[.]240 \r\nMonsterV2\r\nSHA256 file\r\n2025-\r\n06-30 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 22 of 23\n\nPort: 7712  hash, C2, and\r\nPort \r\nSHA256:\r\ne7bcd70f0ee4a093461cfb964955200b409dfffd3494b692d54618d277cb309e \r\nC2: 84.200.77[.]213 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n07-15 \r\nSHA256:\r\n399d3e0771b939065c980a5e680eec6912929b64179bf4c36cefb81d77a652da \r\nC2: 79.133.51[.]100 \r\nPort: 7712 \r\nMonsterV2\r\nSHA256 file\r\nhash, C2, and\r\nPort \r\n2025-\r\n09-01 \r\n98f647eada829bad4d30594496953ddc788c06044f949514e43c3532a83f79e2 \r\nTA585\r\nEvasion  \r\n2025-\r\n04-14 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nhttps://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal"
	],
	"report_names": [
		"when-monster-bytes-tracking-ta585-and-its-arsenal"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434617,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71a95b439623b661cdc8471148877cac8be199df.pdf",
		"text": "https://archive.orkl.eu/71a95b439623b661cdc8471148877cac8be199df.txt",
		"img": "https://archive.orkl.eu/71a95b439623b661cdc8471148877cac8be199df.jpg"
	}
}