Golden Chickens Deploy TerraStealerV2 to Steal Browser Credentials and Crypto Wallet Data
The threat actors known as Golden Chickens have been attributed to two new malware families dubbed TerraStealerV2 and TerraLogger, suggesting continued development efforts to fine-tune and diversify their arsenal.
“TerraStealerV2 is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information,” Recorded Future Insikt Group said. “TerraLogger, by contrast, is a standalone keylogger. It uses a common low-level keyboard hook to record keystrokes and writes the logs to local files.”
Golden Chickens, also known as Venom Spider, is the name given to a financially motivated threat actor linked to a notorious malware family called More_eggs. It’s known to be active since at least 2018, offering its warez under a malware-as-a-service (MaaS) model.
As of 2023, Golden Chickens has been attributed to an online persona known as badbullzvenom, an account that’s believed to be operated jointly by individuals from Canada and Romania. Some of the other malicious tools developed by the e-crime group include More_eggs lite (oka lite_more_eggs), VenomLNK, TerraLoader, and TerraCrypt.
Late last year, Zscaler ThreatLabz detailed new Golden Chickens-related activity involving a backdoor called RevC2 and a loader referred to as Venom Loader, both of which are delivered via a VenomLNK.
The latest findings from Recorded Future show that the threat actors are continuing to work on their offerings, releasing an updated version of their stealer malware that’s capable of harvesting data from browsers, cryptocurrency wallets, and browser extensions.
TerraStealerV2 has been distributed via various formats, such as executable files (EXEs), dynamic-link libraries (DLLs), Windows Installer packages (MSI), and shortcut (LNK) files.
In all these cases, the stealer payload is delivered in the form of an OCX (short for Microsoft’s OLE Control Extension) payload that’s retrieved from an external domain (“wetransfers[.]io”).
“While it targets the Chrome ‘Login Data’ database to steal credentials, it does not bypass Application Bound Encryption (ABE) protections introduced in Chrome updates after July 2024, indicating the malware code is outdated or still under development,” the cybersecurity company said.
The data captured by TerraStealerV2 is exfiltrated to both Telegram and the domain “wetransfers[.]io.” It also leverages trusted Windows utilities, such as regsvr32.exe and mshta.exe, to evade detection.
TerraLogger, also propagated as an OCX file, is engineered to record keystrokes. However, it does not include functionality for data exfiltration or command-and-control (C2) communication, suggesting it is either in early development or intended to be used in conjunction with another malware part of the Golden Chickens MaaS ecosystem.
“The current state of TerraStealerV2 and TerraLogger suggests that both tools remain under active development and do not yet exhibit the level of stealth typically associated with mature Golden Chickens tooling,” Recorded Future said.
“Given Golden Chickens’ history of developing malware for credential theft and access operations, these capabilities will likely continue to evolve.”
The disclosure comes amid the emergence of new stealer malware families like Hannibal Stealer, Gremlin Stealer, and Nullpoint Stealer which are designed to exfiltrate a wide range of sensitive information from its victims.
It also follows the discovery of an updated version of the StealC malware with support for streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption.
“The malware’s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts,” Zscaler ThreatLabz said in a report published last week.
“A redesigned control panel provides an integrated builder that enables threat actors to customize payload delivery rules based on geolocation, hardware IDs (HWID), and installed software. Additional features include multi-monitor screenshot capture, a unified file grabber, and server-side brute-forcing for credentials.”
The new 2.2.4. version (aka StealC V2), introduced in March 2025, has been observed being distributed via another malware loader called Amadey. The control panel also supports Telegram bot integration for sending notifications and allows customization of message formats.
“StealC V2 introduces improvements, such as enhanced payload delivery, a streamlined communications protocol with encryption, and a redesigned control panel that provides more targeted information collection,” Zscaler said.
