When the Monster Bytes: Tracking TA585 and Its Arsenal

    Tuesday, October 14, 2025 In: Threat Research Print

    Date: 10/14/2025

    Severity: High

    Summary

    TA585 is a newly identified and sophisticated cybercriminal group operating its full attack chain—from infrastructure to malware delivery. It frequently uses MonsterV2 malware, which functions as a remote access trojan (RAT), loader, and stealer, and is sold on cybercriminal forums. While TA585 uses MonsterV2, it is not the malware’s creator, and other cybercriminals also use it due to its high cost and advanced features. In March 2025, two U.S. government-themed MonsterV2 campaigns impersonated the IRS and SBA, targeting finance and accounting firms. These campaigns were small in scale, not attributed to any known actor, and notably avoided infecting CIS-region systems.

    Indicators of Compromise (IOC) List 

    IP Address : 

    139.180.160.173

    155.138.150.12

    83.217.208.77

    91.200.14.69

    212.102.255.102

    84.200.154.105

    144.172.117.158

    109.120.137.128

    84.200.17.240

    84.200.77.213

    79.133.51.100

    Hash : 

    ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67

    666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e

    7cd1fd7f526d4f85771e3b44f5be064b24fbb1e304148bbac72f95114a13d8c5

    0e83e8bfa61400e2b544190400152a54d3544bf31cfec9dda21954a79cf581e9

    d221bf1318b8c768a6d824e79c9e87b488c1ae632b33848b638e6b2d4c76182b

    69e9c41b5ef6c33b5caff67ffd3ad0ddd01a799f7cde2b182df3326417dfb78e

    6237f91240abdbe610a8201c9d55a565aabd2419ecbeb3cd4fe387982369f4ae

    b36aac2ea25afd2010d987de524f9fc096bd3e1b723d615a2d85d20c52d2a711

    912ef177e319b5010a709a1c7143f854e5d1220d176bc130c5564f5efe8145ed

    ba72e8024c90aeffbd56cdf2ab9033a323b63c83bd5df19268978cded466214e

    e7bcd70f0ee4a093461cfb964955200b409dfffd3494b692d54618d277cb309e

    399d3e0771b939065c980a5e680eec6912929b64179bf4c36cefb81d77a652da

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    dstipaddress IN ("84.200.17.240","139.180.160.173","144.172.117.158","83.217.208.77","84.200.154.105","109.120.137.128","155.138.150.12","91.200.14.69","212.102.255.102","84.200.77.213","79.133.51.100") or srcipaddress IN ("84.200.17.240","139.180.160.173","144.172.117.158","83.217.208.77","84.200.154.105","109.120.137.128","155.138.150.12","91.200.14.69","212.102.255.102","84.200.77.213","79.133.51.100")

    Detection Query 2 :

    sha256hash IN ("ccac0311b3e3674282d87db9fb8a151c7b11405662159a46dda71039f2200a67","912ef177e319b5010a709a1c7143f854e5d1220d176bc130c5564f5efe8145ed","b36aac2ea25afd2010d987de524f9fc096bd3e1b723d615a2d85d20c52d2a711","7cd1fd7f526d4f85771e3b44f5be064b24fbb1e304148bbac72f95114a13d8c5","d221bf1318b8c768a6d824e79c9e87b488c1ae632b33848b638e6b2d4c76182b","ba72e8024c90aeffbd56cdf2ab9033a323b63c83bd5df19268978cded466214e","666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e","e7bcd70f0ee4a093461cfb964955200b409dfffd3494b692d54618d277cb309e","0e83e8bfa61400e2b544190400152a54d3544bf31cfec9dda21954a79cf581e9","69e9c41b5ef6c33b5caff67ffd3ad0ddd01a799f7cde2b182df3326417dfb78e","6237f91240abdbe610a8201c9d55a565aabd2419ecbeb3cd4fe387982369f4ae","399d3e0771b939065c980a5e680eec6912929b64179bf4c36cefb81d77a652da")

    Reference:    

    https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal 


    Tags

    MalwareThreat ActorTA585MonsterV2RATUnited StatesFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.