The Reveal Platform
Intel Name: When the monster bytes: tracking ta585 and its arsenal
Date of Scan: October 14, 2025
Impact: High
Summary: TA585 is a newly identified and sophisticated cybercriminal group operating its full attack chain—from infrastructure to malware delivery. It frequently uses MonsterV2 malware, which functions as a remote access trojan (RAT), loader, and stealer, and is sold on cybercriminal forums. While TA585 uses MonsterV2, it is not the malware’s creator, and other cybercriminals also use it due to its high cost and advanced features. In March 2025, two U.S. government-themed MonsterV2 campaigns impersonated the IRS and SBA, targeting finance and accounting firms. These campaigns were small in scale, not attributed to any known actor, and notably avoided infecting CIS-region systems.
