TerraStealerV2 and TerraLogger Detection: Golden Chickens Threat Actor Behind New Malware Families
Table of contents:
The financially motivated Golden Chickens group, known for operating under a MaaS model, has been linked to two newly identified malicious strains, TerraStealerV2 and TerraLogger, which indicates the ongoing group’s efforts to enhance and expand its offensive toolset. TerraStealerV2 collects browser credentials, crypto wallet data, and details from browser extensions, while TerraLogger acts as a standalone keylogger, capturing keystrokes and storing the logs locally.
Detect Golden Chickens Attacks Leveraging TerraStealerV2 and TerraLogger Malware
The Global Economic Forum report highlights that in 2025, around 72% of organizations saw a major cyber risk increase over the past 12 months, and 63% indicated the complex and evolving threat landscape as their greatest challenge to becoming cyber resilient. Cybercriminals are becoming more innovative, leveraging automation, AI-generated attacks, zero-day exploits, and sophisticated tactics to breach even the most fortified defenses.
Register for the SOC Prime Platform to outscale the evolving threats like TerraStealerV2 and TerraLogger by Golden Chickens. Access a set of relevant Sigma rules addressing attackers’ TTPs backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just press the Explore Detections button and immediately drill down to a curated detection stack.
All the rules are compatible with multiple SIEM, EDR, and Data Lake technologies, and mapped to MITRE ATT&CK® to streamline threat investigation. Moreover, each rule is enriched with extensive metadata, including CTI references, attack timelines, audit configurations, triage recommendations, and more.
Cyberdefenders can search the Threat Detection Marketplace using “TerraStealerV2” and “TerraLogger” tags to track detection content updates.
Additionally, security professionals might leverage Uncoder AI – a private IDE & co-pilot for threat-informed detection engineering – now completely free and available without token limits on AI features. Generate detection algorithms from raw threat reports, enable fast IOC sweeps into performance-optimized queries, predict ATT&CK tags, optimize query code with AI tips, translate it across 48 SIEM, EDR, and Data Lake languages, and more.
Golden Chickens’ Latest Activity Analysis
Recorded Future’s Insikt Group researchers have uncovered a couple of novel malicious samples linked to the Golden Chickens group (aka Venom Spider). Known for operating a MaaS platform leveraged by threat actors like FIN6, Cobalt Group, and Evilnum, Golden Chickens appears to be actively expanding its toolset to support credential theft and keylogging activities.
TerraStealerV2 can harvest browser credentials and target cryptocurrency wallets and extension data. The malware has been observed in diverse formats, such as LNK, MSI, DLL, and EXE, and employs legitimate Windows tools like regsvr32.exe and mshta.exe to avoid detection. Although it attempts to access Chrome’s “Login Data” database, it cannot bypass post-July 2024 ABE protections, suggesting it’s still in development or outdated.
Another newly observed malicious strain, TerraLogger, operates as a basic keylogger, using a standard low-level keyboard hook to record keystrokes and save the logs locally. It lacks data exfiltration and C2 features, suggesting it’s either an early-stage tool or designed to work modularly within the Golden Chickens’ MaaS framework.
Since at least 2018, the Golden Chickens’ MaaS suite has been leveraged in attacks targeting high-profile organizations, primarily via social engineering tactics, such as spearphishing emails posing as job offers or resumes. The suite’s main components are VenomLNK and TerraLoader. Infections typically begin with VenomLNK, a malicious Windows shortcut that launches TerraLoader, which then delivers additional Golden Chickens’ payloads. These include TerraStealer for credential theft, TerraTV for hijacking TeamViewer sessions, and TerraCrypt for deploying ransomware. Other associated tools within the Golden Chickens’ MaaS ecosystem include TerraRecon for system reconnaissance, TerraWiper for data destruction, and lite_more_eggs. In late 2024, Golden Chickens was behind the deployment of the RevC2 backdoor and Venom Loader, both delivered via VenomLNK.
TerraStealerV2 and TerraLogger appear to still be in active development and lack sophisticated stealth features usually seen in a more refined Golden Chickens’ toolkit. However, considering the group’s proven expertise in building credential theft and access tools, these functionalities are expected to develop further. To minimize the risks of Golden Chickens’ attacks, organizations should implement proactive cybersecurity strategies to defend against such continuously evolving threats in a timely manner. SOC Prime Platform equips security teams with a complete product suite for collective cyber defense backed by AI, automation, and real-time intelligence to help global organizations risk-optimize their cybersecurity posture.