Cybercriminal group Golden Chickens, also known as Venom Spider, has rolled out two new malware families—TerraStealerV2 and TerraLogger—signaling ongoing efforts to enhance and diversify their malicious toolkit. These new tools were identified by cybersecurity researchers at Recorded Future’s Insikt Group, revealing that the threat actor remains highly active in the evolving malware-as-a-service (MaaS) landscape.
Golden Chickens has been active since at least 2018 and is infamous for distributing the More_eggs malware. The group sells its tools to other cybercriminals and continues to refine its software to bypass security measures and target valuable data. TerraStealerV2 and TerraLogger reflect this ongoing development, even if both appear to be in early stages of refinement.
TerraStealerV2 Targets Browser Data, Wallets, and Extensions
According to Recorded Future, TerraStealerV2 is designed to steal sensitive user data. Its main targets include browser credentials, cryptocurrency wallet contents, and information from browser extensions. Researchers observed that the malware is distributed via various file formats, including EXE, DLL, MSI, and LNK files. In each case, the final payload is delivered as an OCX file retrieved from a domain called “wetransfers[.]io.”
Once installed, TerraStealerV2 attempts to access Chrome’s “Login Data” database. However, it currently fails to bypass Application Bound Encryption (ABE) protections added in Chrome updates after July 2024. This indicates that the malware is either outdated or still undergoing active development. Despite this, the malware uses trusted Windows utilities such as regsvr32.exe and mshta.exe to avoid detection.
Exfiltration occurs through both Telegram and the “wetransfers[.]io” domain, allowing stolen data to be sent discreetly. This dual-channel exfiltration method is intended to reduce the likelihood of detection during transmission.
In contrast, TerraLogger is a basic keylogger that records keystrokes using a low-level keyboard hook and stores logs in local files. It does not yet include data exfiltration or command-and-control (C2) functionality, suggesting it may be paired with other Golden Chickens tools or is still under construction.
Both malware strains are propagated as OCX files, pointing to a consistent distribution strategy and a preference for leveraging legacy Windows components to maintain a low profile.
Golden Chickens Expand Arsenal Amid Rising Malware Activity
Golden Chickens has long been associated with an online persona known as badbullzvenom, believed to be operated by individuals in Canada and Romania. Their other tools include More_eggs Lite, VenomLNK, TerraLoader, and TerraCrypt. In late 2023, Zscaler ThreatLabz also linked the group to two new components—RevC2 (a backdoor) and Venom Loader—delivered via the same VenomLNK infection chain.
The emergence of TerraStealerV2 and TerraLogger shows the group is committed to improving its MaaS offerings. However, researchers at Recorded Future note that these two malware families lack the advanced stealth features seen in more mature Golden Chickens tools. They suggest that future updates will likely improve data exfiltration techniques and evasion capabilities.
Meanwhile, the threat landscape continues to expand. Other stealer malware families such as Hannibal Stealer, Gremlin Stealer, and Nullpoint Stealer are also in circulation. These threats aim to extract a broad spectrum of user data, from browser activity to system credentials and stored files.
Adding to the pressure, Zscaler recently uncovered a new version of StealC malware—version 2.2.4 (aka StealC V2)—which includes RC4 encryption and a revamped command-and-control protocol. This version is distributed via Amadey loader and can deliver payloads using MSI packages or PowerShell scripts.
A redesigned control panel now lets attackers customize payload behavior based on geolocation, installed software, and hardware IDs. The new version also includes multi-monitor screenshot capture, a unified file grabber, and Telegram bot integration for real-time updates.
Zscaler emphasized that the upgrade to StealC V2 reflects a broader trend: attackers are investing in automation, adaptability, and stealth to improve their success rates.
As Golden Chickens and similar groups continue to innovate, organizations must stay alert. The malware landscape is becoming more sophisticated, and attackers are clearly in a race to outpace security defenses with agile, customizable toolkits.
