TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered
Summary:
Recorded Future’s Insikt Group has identified two novel malware families, TerraStealerV2 and TerraLogger, and attributed their use to the financially motivated threat actor Golden Chickens (AKA Venom Spider). These new malware strains, observed between January and April 2025, suggest an ongoing effort to enhance Golden Chickens' credential theft and keylogging capabilities. TerraStealerV2 is designed to exfiltrate browser credentials, cryptocurrency wallet data, and browser extension information, utilizing Telegram and a domain, wetransfers[.]io, for C2 communication. Notably, it does not bypass Chrome's Application Bound Encryption protections implemented after July 2024, despite targeting the Chrome “Login Data” database, potentially indicating the malware is in the early stages of development and testing. Distribution of TerraStealerV2 has been observed through various file formats, including LNK, MSI, DLL, and EXE, often leveraging LoTL techniques using native trusted Windows utilities for evasion. However, TerraLogger likely serves a much more specialized purpose as it is a standalone keylogger that records keystrokes locally but currently lacks data exfiltration or command-and-control functionalities. The emergence of these tools, particularly TerraLogger, Golden Chickens' first documented keylogging capability, indicates an expansion of their MaaS program. Despite their recent discovery, both malware families appear to be in active development and may not yet possess the sophisticated stealth features typically associated with mature Golden Chickens' initial access and credential theft operations.
Security Officer Comments:
The sudden emergence of TerraStealerV2 and TerraLogger underscores the persistent and evolving threat posed by Golden Chickens. The ongoing development of TerraStealerV2, while currently lacking the ability to bypass newer Chrome ABE protections, still presents a significant risk due to its opportunistic theft of sensitive information, including cryptocurrency wallets. The variety of distribution formats observed for TerraStealerV2 highlights the actor's adaptability in initial access, which likely increases the success of their social engineering attempts. The introduction of TerraLogger as a standalone keylogger is a notable development, suggesting Golden Chickens is expanding its toolkit and potentially offering more granular malware options to its affiliates. The current lack of exfiltration in TerraLogger could indicate it's intended particularly for initial access or as a component to be integrated with other malware within the Golden Chickens ecosystem. The fact that neither malware family exhibits advanced stealth at this stage may provide a window of opportunity for prevention. Organizations should remain vigilant for further developments in these malware families, given Golden Chickens' established track record of refining their tools for financial gain and access operations. Following the mitigation guidance outlined in Insikt Group’s report before these malware families reach maturity will reduce an organization’s risk of compromise.
Suggested Corrections:
IOCs are available in the blog post.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://www.recordedfuture.com/research/terrastealerv2-and-terralogger
Recorded Future’s Insikt Group has identified two novel malware families, TerraStealerV2 and TerraLogger, and attributed their use to the financially motivated threat actor Golden Chickens (AKA Venom Spider). These new malware strains, observed between January and April 2025, suggest an ongoing effort to enhance Golden Chickens' credential theft and keylogging capabilities. TerraStealerV2 is designed to exfiltrate browser credentials, cryptocurrency wallet data, and browser extension information, utilizing Telegram and a domain, wetransfers[.]io, for C2 communication. Notably, it does not bypass Chrome's Application Bound Encryption protections implemented after July 2024, despite targeting the Chrome “Login Data” database, potentially indicating the malware is in the early stages of development and testing. Distribution of TerraStealerV2 has been observed through various file formats, including LNK, MSI, DLL, and EXE, often leveraging LoTL techniques using native trusted Windows utilities for evasion. However, TerraLogger likely serves a much more specialized purpose as it is a standalone keylogger that records keystrokes locally but currently lacks data exfiltration or command-and-control functionalities. The emergence of these tools, particularly TerraLogger, Golden Chickens' first documented keylogging capability, indicates an expansion of their MaaS program. Despite their recent discovery, both malware families appear to be in active development and may not yet possess the sophisticated stealth features typically associated with mature Golden Chickens' initial access and credential theft operations.
Security Officer Comments:
The sudden emergence of TerraStealerV2 and TerraLogger underscores the persistent and evolving threat posed by Golden Chickens. The ongoing development of TerraStealerV2, while currently lacking the ability to bypass newer Chrome ABE protections, still presents a significant risk due to its opportunistic theft of sensitive information, including cryptocurrency wallets. The variety of distribution formats observed for TerraStealerV2 highlights the actor's adaptability in initial access, which likely increases the success of their social engineering attempts. The introduction of TerraLogger as a standalone keylogger is a notable development, suggesting Golden Chickens is expanding its toolkit and potentially offering more granular malware options to its affiliates. The current lack of exfiltration in TerraLogger could indicate it's intended particularly for initial access or as a component to be integrated with other malware within the Golden Chickens ecosystem. The fact that neither malware family exhibits advanced stealth at this stage may provide a window of opportunity for prevention. Organizations should remain vigilant for further developments in these malware families, given Golden Chickens' established track record of refining their tools for financial gain and access operations. Following the mitigation guidance outlined in Insikt Group’s report before these malware families reach maturity will reduce an organization’s risk of compromise.
Suggested Corrections:
IOCs are available in the blog post.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://www.recordedfuture.com/research/terrastealerv2-and-terralogger