TL;DR: A largely self-owned delivery chain, from compromised websites and web injects to fake verification pages and malware installation, is run by TA585, while MonsterV2 adds stealer, RAT, loader, and privilege-escalation capability, according to Proofpoint. That model compresses attacker friction and raises the bar for user education, email filtering, and post-click containment.
At a glance
What this is: Proofpoint details TA585, a cybercriminal actor that controls most of its delivery chain and uses web injects, fake CAPTCHA flows, and phishing-style lures to install MonsterV2 and related payloads.
Why it matters: This matters because control over delivery, filtering, and payload execution makes the intrusion path faster to adapt and harder to interrupt with single-point defenses.
By the numbers:
- MonsterV2 has been advertised at $2,000 per month for a private development build.
- Rhadamanthys is advertised for $199 per month, making MonsterV2 far more expensive than a common stealer.
- Proofpoint observed MonsterV2 in campaigns that targeted fewer than 200 messages in March 2025.
👉 Read Proofpoint's analysis of TA585, ClickFix delivery, and MonsterV2
Context
TA585 is a reminder that modern malware operations are often built as end-to-end services, not isolated payload drops. The actor controls infrastructure, filtering, delivery, and execution, then hands off the final stage to commodity malware such as MonsterV2 or Rhadamanthys. For defenders, that means the security problem is not just a malicious file, but a carefully managed path from lure to runtime execution.
The identity angle is direct where the campaign relies on fake human verification, compromised websites, and browser or email trust to push users into running PowerShell. That is a governance problem for both human identity controls and machine identity monitoring, because successful social engineering increasingly uses technical filtering to decide who gets the payload. The starting position described here is unusual in its level of operational ownership, not in the underlying social engineering pattern.
Key questions
Q: How should security teams stop fake verification lures from turning users into the execution path?
A: Constrain user-initiated scripting, remove easy paths to PowerShell from standard accounts, and monitor for browser-to-shell transitions that begin with CAPTCHA or verification pages. The control goal is to break the handoff between trust and execution before the command runs. That matters because the lure succeeds by making the user perform the final malicious step.
Q: Why do compromised websites make malware delivery harder to block than ordinary phishing?
A: A compromised legitimate site can serve malicious content only after filtering for a real user, which reduces detection opportunities and makes URL reputation less reliable. Attackers can change the payload path dynamically, then redirect cleanly after execution to avoid obvious failure signals. Defenders need page-behavior telemetry, not just domain reputation.
Q: What do security teams get wrong about infostealer campaigns that also include remote access?
A: They often treat the infection as a single endpoint event, when the real risk is credential theft plus session abuse plus follow-on access. A stealer with RAT and loader functions can move from data theft to persistent control very quickly. That means containment must include token revocation, account review, and endpoint triage together.
Q: Who is accountable when a malicious script is executed by a user through a fake verification page?
A: Accountability is shared across security, endpoint, and user-awareness controls because the failure sits at the boundary between social engineering and local execution. Organisations must be able to show that they constrained unsafe script paths, monitored for suspicious browser-to-shell behavior, and responded by invalidating exposed credentials and sessions.
Technical breakdown
Compromised websites and web injects as a delivery layer
TA585 often begins with compromised legitimate websites that load malicious JavaScript injection for selected visitors. The script overlays the real page with a fake CAPTCHA or verification step, then filters traffic so the payload only reaches a live user. This reduces noisy exposure and helps the actor avoid automated analysis. The mechanism is closer to a dynamic delivery platform than a simple phishing page, because the site actively changes content and behavior after the initial load.
Practical implication: web filtering alone is not enough when the lure is delivered through a trusted site that mutates after page load.
ClickFix turns user interaction into code execution
ClickFix is a social engineering pattern that instructs the target to copy and paste a command into Win+R or PowerShell. In TA585's campaigns, that command downloads and runs the next-stage payload, often after a staged verification page confirms the visitor is a real person. The important detail is that the user becomes the execution bridge, which bypasses some email and browser safeguards. This is why the tactic is effective even when the initial site appears legitimate.
Practical implication: block or heavily constrain non-administrative PowerShell and user-initiated script execution paths.
MonsterV2 combines stealing, remote control, and escalation
MonsterV2 is advertised as a RAT, loader, and stealer, and Proofpoint observed it collecting browser data, tokens, wallet information, files, webcam images, and clipboard contents. It can also request privileges such as SeDebugPrivilege and SeTakeOwnershipPrivilege, which are commonly associated with deeper process access and privilege escalation. That combination makes it useful both for initial monetisation and for follow-on access. The malware's modular design means a single infection can support multiple criminal objectives without changing the delivery infrastructure.
Practical implication: threat hunting should look for privilege requests, suspicious process creation, and post-execution data access patterns, not just the initial payload hash.
Threat narrative
Attacker objective: The objective is to convert a trusted browsing or email interaction into durable criminal access, data theft, and monetisable post-exploitation capability.
- Entry occurs when a user lands on a compromised site or clicks a malicious notification that leads to a fake verification page and a PowerShell prompt.
- Escalation follows when the user executes the instructed command and MonsterV2 or Rhadamanthys is downloaded, written to disk, and launched.
- Impact is achieved when the payload steals data, opens remote access, and supports additional malware delivery or account abuse.
Breaches seen in the wild
- Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Owned delivery chains are now a threat-modeling category, not an implementation detail. TA585 matters because the actor controls infrastructure, filtering, lure delivery, and installation rather than relying on rented access at every step. That shifts detection value toward chain interruption, not just payload blocking. Security teams should treat end-to-end delivery ownership as a sign that the attacker can iterate faster than point controls can adapt.
ClickFix is a governance problem because it collapses the boundary between user intent and code execution. The user is persuaded to become the execution mechanism, which makes standard email hygiene and web filtering insufficient on their own. This is where identity and endpoint governance intersect: human trust is being used to trigger privileged local action. Practitioners should see this as a control boundary failure, not just a phishing variant.
MonsterV2 shows how commodity malware now packages identity abuse, remote access, and escalation in one workflow. Stealer, RAT, loader, clipboard hijacking, and privilege escalation capabilities collapse what used to be separate criminal stages into a single post-execution toolkit. That makes identity theft and session abuse more operationally valuable than simple endpoint compromise. The practitioner takeaway is to treat stolen tokens and local privilege abuse as linked consequences, not isolated findings.
Filtering that distinguishes real users from automation is becoming a criminal capability, not just a defensive one. TA585's beaconing and redirect logic lets the actor deny access until the target completes the script, which is a crude but effective trust gate. That creates a new class of pre-infection validation that defenders need to understand in both browser and email contexts. The field should expect more lures that behave like short-lived access workflows rather than static malicious pages.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- See also 52 NHI Breaches Analysis for the recurring patterns behind over-privilege and credential exposure.
What this signals
The practical lesson from TA585 is that delivery-chain ownership and user-triggered execution are converging into a single risk surface. That means SOC and endpoint teams need to watch for browser-to-shell transitions, suspicious verification overlays, and token theft in the same incident queue. Trust-gated delivery: attackers now use behavior checks and redirects to decide who receives malware, which makes static detections less reliable and raises the value of runtime telemetry.
For identity programmes, the important signal is not just compromise but post-compromise access persistence. When a stealer also functions as a loader or remote desktop tool, exposed sessions, browser tokens, and collaboration accounts become the real extension of the breach. This is where identity governance and endpoint response must converge, and the NIST Cybersecurity Framework 2.0 detection and response functions are a useful anchor for that operating model.
The next operational step is to align browser hardening, script control, and token revocation with the same urgency normally reserved for endpoint malware. That includes reviewing how often users can launch PowerShell, how quickly revoked sessions actually disappear, and whether incident playbooks treat infostealer alerts as an identity event as well as a device event.
For practitioners
- Constrain interactive script execution paths Block or tightly restrict non-administrative PowerShell, Win+R-based command execution, and other user-driven scripting paths on managed endpoints, especially for finance and accounting users who are frequently targeted by invoice and government-themed lures.
- Detect compromised-site delivery patterns Add detections for pages that load an overlay, repeatedly beacon before redirecting, or gate access on a manual verification step, because those behaviors often indicate filtering infrastructure rather than normal website content. Use browser telemetry and sandboxing to surface the page-beacon-redirect sequence.
- Hunt for post-execution privilege abuse Search for SeDebugPrivilege, SeTakeOwnershipPrivilege, unusual child processes from scripting hosts, and rapid file writes followed by task scheduler execution, because MonsterV2 and similar payloads often combine escalation with persistence and loader behavior.
- Treat stolen tokens as a parallel incident stream When infostealer indicators appear, reset credentials and invalidate sessions across browser accounts, SaaS tokens, and collaboration services, because the malware's objective includes login data, tokens, wallet information, and remote control.
Key takeaways
- TA585 matters because it owns most of the delivery chain, which lets it adapt faster than defenses built around single-stage phishing or malware blocking.
- MonsterV2 combines stealing, remote access, and privilege escalation, so a single execution can become an identity, endpoint, and session-abuse incident.
- The strongest controls here are script-constraining endpoints, browser-behavior detection, and rapid credential and session revocation after exposure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0001 , Initial Access; TA0002 , Execution; TA0004 , Privilege Escalation; TA0006 , Credential Access; TA0011 , Command and Control | The article maps directly to delivery, execution, credential theft, and C2 behavior. |
| NIST CSF 2.0 | DE.CM-1 | Monitoring for suspicious page and process behavior fits continuous detection. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege limits the damage from malware requesting elevated permissions. |
| CIS Controls v8 | CIS-8 , Audit Log Management | Visibility into PowerShell, task scheduler, and process activity is critical here. |
Map TA585-style chains to these ATT&CK tactics and prioritize detections that break the browser-to-shell transition.
Key terms
- ClickFix: A browser-delivered social engineering technique that persuades a user to paste and execute a malicious command, usually through clipboard manipulation and a fake instruction sequence. The key risk is that the endpoint may see a normal user action even though the payload originated from a hostile webpage.
- Infostealer: An infostealer is malware built to collect credentials, session material, tokens, and other authentication data from infected systems. In NHI programmes, the risk is not only theft but reuse, because harvested workload secrets can unlock cloud access long after the initial infection.
- Loader: A loader is malware whose main job is to retrieve, decrypt, inject, or launch a second-stage payload. In these campaigns, loaders are not the final objective. They are the mechanism that turns an initial click into remote access, persistence, or data theft.
- HVNC: HVNC, or Hidden Virtual Network Computing, gives an attacker a remote desktop-like view of the infected system without the obvious screen changes associated with ordinary remote access tools. It is often used to operate interactively while avoiding user awareness and some security monitoring.
What's in the full report
Proofpoint's full report covers the operational detail this post intentionally leaves for the source:
- Campaign timelines, infrastructure indicators, and example lure pages for TA585's web-inject and GitHub-themed activity.
- The malware's configuration structure, privilege requests, and anti-analysis behavior across sampled MonsterV2 variants.
- Specific detection content, including the Emerging Threats rule and indicator list tied to observed check-ins.
- Detailed analysis of SonicCrypt packing, task scheduler execution, and the technical unpacking flow.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, workload identity, and agentic AI identity. It helps practitioners connect identity control to the broader security programme that must contain token theft and privilege abuse.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org