MonsterV2
MonsterV2 is a subscription-based malware-as-a-service family advertised on cybercriminal forums since at least February 2025 and also referred to as Aurotun Stealer. It is consistently described as a multifunctional remote access trojan (RAT), stealer, loader, and backdoor. Reported capabilities include theft of browser credentials, login data, credit card data, cryptocurrency wallet data, Steam/Telegram/Discord tokens, files and documents; desktop viewing and capture; webcam recording; clipboard cryptocurrency address replacement (clipper); hidden virtual network computing (HVNC) for covert remote desktop access; command execution; and downloading/executing additional payloads. Proofpoint observed MonsterV2 loading additional malware including StealC V2 and Remcos. The malware may query api.ipify[.]org before C2 communication to obtain external IP/location and test connectivity, and it avoids infecting systems in CIS countries. Technical reporting notes configuration/C2 protection using ChaCha20 and ZLib, and frequent packing with the SonicCrypt crypter, which adds anti-analysis checks and can execute decrypted payloads via Windows Task Scheduler COM. MonsterV2 is strongly associated with TA585, which frequently delivered it in 2025 via ClickFix social-engineering campaigns using phishing lures, compromised websites with malicious JavaScript fake CAPTCHA overlays, and abused GitHub notification emails. Observed lures included IRS and U.S. Small Business Administration themes, with finance and accounting firms among targets in some campaigns. MonsterV2 has also been distributed by CastleLoader, which has delivered multiple infostealers and RATs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The main malware payload used by TA585 is MonsterV2, a backdoor, stealer and loader MaaS.
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"weaponized attachments distributed via phishing emails"; "phishing email contained a ZIP file"; "malicious ICS files"; "malicious SVG files"
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as an infostealer family distributed by CastleLoader.
MonsterV2 is a malware family distributed via the CastleLoader framework.
Subscription-based MaaS malware family advertised in Feb 2025. Delivered via ClickFix social engineering (victim copy/pastes PowerShell), then installs to steal credentials/tokens/crypto wallet data and provides hidden remote control via HVNC.
Multi-capability malware sold on criminal forums and delivered by TA585; functions as a RAT/loader/stealer and includes geofencing to avoid CIS infections.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.