While not always directly linked to TA585, MonsterV2 activity often shares infrastructure with other malware, indicating a complex threat landscape managed by TA585, which specializes in targeted malware delivery and installation.

Researchers have uncovered TA585 as a sophisticated threat actor managing its entire attack chain since February 2025, utilizing phishing and web injection techniques to distribute malware.

TA585 has used fake GitHub security notifications containing malicious URLs to infect targets, with these activity clusters linked to the CoreSecThree framework active since February 2022.

MonsterV2 is packed using SonicCrypt, a C++ crypter that helps it evade detection and includes anti-analysis, anti-sandbox, privilege escalation, and persistence features, with configuration settings that influence its behavior.

TA585 has been actively deploying MonsterV2, also known as Aurotun Stealer, a versatile remote access trojan capable of stealing data, controlling systems remotely, executing commands, capturing screens, keylogging, manipulating files, and deploying additional payloads like Remcos RAT.

MonsterV2 can perform a wide range of malicious activities, including data theft, clipboard cryptocurrency clipping, remote control via HVNC, executing commands, screen capturing, keylogging, file manipulation, system shutdown, and payload downloads.

Once connected to its command-and-control server, MonsterV2 can exfiltrate system data, control processes, take screenshots, run keyloggers, manipulate files, and deploy further malware, demonstrating its adaptability and destructive potential.

The malware is sold by a Russian-speaking actor offering two subscription tiers: a standard version for $800 per month and an enterprise version for $2,000 per month, which includes advanced features like HVNC and Chrome DevTools Protocol.

Cybercriminals have used phishing campaigns exploiting IRS-themed lures, fake PDFs, JavaScript injections on legitimate sites, and fake CAPTCHA overlays to deliver MonsterV2, often via PowerShell commands.