The notorious cybercriminal group known as Golden Chickens, also referred to as Venom Spider, is back in the spotlight. Cybersecurity researchers have uncovered two new malware strains tied to the group—TerraStealerV2 and TerraLogger—both designed to harvest sensitive information and expand the group’s malware-as-a-service (MaaS) offerings.
According to threat intelligence firm Recorded Future, TerraStealerV2 focuses on extracting browser credentials, cryptocurrency wallet data, and information from browser extensions. Meanwhile, TerraLogger operates as a classic keylogger, quietly recording keystrokes and storing them locally, though it lacks the ability to exfiltrate data or connect to command-and-control (C2) servers—at least for now.
Golden Chickens has been active since 2018, with previous tools like More_eggs, VenomLNK, TerraLoader, and TerraCrypt making headlines in cybercrime circles. The group is believed to be operated by individuals based in Canada and Romania, with a known online persona called badbullzvenom at the helm.
The group’s latest tools were detailed in fresh reports from both Recorded Future and Zscaler ThreatLabz, highlighting ongoing development and experimentation within the Golden Chickens ecosystem.
TerraStealerV2 Exploits Browser Weaknesses, But Lacks ABE Bypass
TerraStealerV2 has been distributed in several formats—EXE, DLL, MSI, and LNK files—often delivered through a payload embedded in Microsoft’s OCX (OLE Control Extension). Once activated, the malware retrieves the malicious OCX file from an external domain hosted at wetransfers[.]io.
The stealer specifically targets Chrome’s “Login Data” database to pull stored usernames and passwords. However, it fails to bypass Application Bound Encryption (ABE)—a security layer introduced in Chrome updates after July 2024—suggesting the malware is either outdated or still being tested.
Data stolen through TerraStealerV2 is transmitted back to attackers via both Telegram channels and the wetransfers[.]io domain. To dodge detection, it cleverly abuses legitimate Windows utilities such as regsvr32.exe and mshta.exe—a common trick used in fileless malware attacks.
TerraLogger: A Work in Progress
Unlike its counterpart, TerraLogger appears far less refined. It functions as a basic keystroke recorder without built-in data exfiltration or C2 capabilities. Distributed in a similar OCX format, TerraLogger likely serves as a modular component that may be used alongside other malware within the Golden Chickens toolkit.
Both TerraStealerV2 and TerraLogger still show signs of being under active development, lacking the stealth and polish typically associated with Golden Chickens malware. Still, their introduction reinforces the group’s consistent efforts to innovate and expand its range of credential theft tools.
A Growing Landscape of Stealer Malware
Golden Chickens’ recent activity surfaces at a time when other stealer malware families are also gaining traction. New variants like Hannibal Stealer, Gremlin Stealer, and Nullpoint Stealer are being designed to siphon off an increasingly broad set of sensitive data—from login credentials to session tokens and digital wallets.
In parallel, Zscaler ThreatLabz has reported an upgraded version of StealC malware, now in version 2.2.4. This latest iteration includes RC4 encryption, improved C2 communication, and a newly built control panel offering customized payload delivery based on geolocation, hardware ID (HWID), and installed software. The tool even enables multi-monitor screenshot capture and brute-force credential theft, all with Telegram bot integration for real-time alerts.
The evolution of malware like StealC V2 and TerraStealerV2 underscores a broader trend: cybercrime groups are increasingly building modular, flexible, and highly targeted malware platforms. Whether for stealing passwords or draining crypto wallets, these tools are becoming more powerful—and harder to detect.
Final Thoughts
The emergence of Golden Chickens malware variants TerraStealerV2 and TerraLogger shows that this threat actor isn’t slowing down. While these tools may still be under development, they hint at what’s to come: more aggressive, stealthy, and specialized malware strains targeting browser data, financial assets, and enterprise systems.
Security teams should remain vigilant and update defenses to monitor for OCX-based payloads, abuse of Windows scripting tools, and data exfiltration via trusted platforms like Telegram. As threat actors continue to refine their techniques, early detection and layered defense remain critical.
