Full Report
Insikt Group reveals two emerging malware strains—TerraStealerV2 and TerraLogger—linked to Golden Chickens, a threat actor behind credential theft and keylogging MaaS platforms. Learn how these tools operate and evolve.
Analysis Summary
# Threat Actor: Golden Chickens (Venom Spider)
## Attribution & Identity
**Primary Name:** Golden Chickens
**Aliases:** Venom Spider, badbullzvenom (believed persona operated jointly by individuals from Moldova and Montreal, Canada)
**Associations:** Operates a Malware-as-a-Service (MaaS) platform used by groups like FIN 6, Cobalt Group, and Evilnum.
## Activity Summary
Golden Chickens is a financially motivated threat actor known for operating a modular MaaS platform since at least 2018. They deploy tooling via campaigns often utilizing social engineering vectors, such as spearphishing emails featuring fake job offers or resumes. Recent observed activity between January and April 2025 involved the development and deployment of two new malware families:
1. **TerraStealerV2:** Designed for credential theft, including browser credentials and cryptocurrency wallet data.
2. **TerraLogger:** A new, standalone keylogger module observed for the first time in their ecosystem.
Between August and October 2024, they also deployed **RevC2** and **Venom Loader** via VenomLNK campaigns, using lures involving cryptocurrency payment requests and software API documentation. Campaign history includes attacks against high-value organizations like British Airways, Newegg, and Ticketmaster UK.
## Tactics, Techniques & Procedures
- **Initial Access:** Delivery via initial infections using **VenomLNK** (malicious Windows shortcut files) which execute **TerraLoader**. Delivery formats observed for new malware include LNK, MSI, DLL, and EXE files.
- **Execution/Defense Evasion:** Leveraging trusted Windows utilities such as `regsvr32.exe` and `mshta.exe` to evade detection.
- **Credential Access (TerraStealerV2):** Targets the Chrome "Login Data" database to steal credentials.
- **Input Capture (TerraLogger):** Uses a common low-level keyboard hook to record keystrokes.
- **Data Staging/Exfiltration (TerraStealerV2):** Data is exfiltrated to Telegram and external domains.
* *Note: TerraStealerV2 currently does not bypass Application Bound Encryption (ABE) protections in newer Chrome versions, suggesting active development.*
## Targeting
**Sectors:** High-value organizations. Previously linked to attacks on travel and retail sectors.
**Geography:** Affiliates are linked to Russia (FIN6) and Belarus (Evilnum). The developer persona is speculated to be linked to Moldova and Canada.
**Victims:** British Airways, Newegg, Ticketmaster UK.
## Tools & Infrastructure
**Malware Families:**
* **New:** TerraStealerV2 (Credential Stealer/Info Stealer), TerraLogger (Standalone Keylogger).
* **Core/Previous:** TerraLoader (Loader), VenomLNK (Initial Delivery), TerraStealer (Previous stealer), TerraTV (TeamViewer hijacking), TerraCrypt (Ransomware), TerraRecon (Reconnaissance), TerraWiper (Data Wiper), RevC2, Venom Loader.
* **Note:** TerraLogger writes logs locally (e.g., `c:\programdata\save.txt`, `op.txt`, `a.txt`, etc.) but lacks native C2/exfiltration capabilities.
**Infrastructure (C2/Exfiltration):**
* wetransfers\[.\]io
* Telegram (used for exfiltration by TerraStealerV2)
## Implications
Golden Chickens continues to actively develop and iterate on its modular MaaS platform, as evidenced by the introduction of TerraLogger (a new capability) and TerraStealerV2 components. Their services are exploited by established cybercriminal organizations, posing a significant, adaptable threat. The malware, while showing ongoing development, is currently not as stealthy as its mature counterparts regarding modern browser security measures (like Chrome ABE).
## Mitigations
Organizations should implement general security best practices outlined in the associated report to reduce the risk of compromise, as Golden Chickens tooling is expected to mature and incorporate stronger evasion techniques. Specific focuses should include monitoring for:
* Execution of trusted Windows utilities for malicious purposes (e.g., using `regsvr32.exe` or `mshta.exe` outside of expected administrative tasks).
* Unusual activity related to LNK, MSI, DLL, or EXE delivery mechanisms.
* Monitoring for potential credential theft indicators targeting browser data stores.
* Considering network monitoring for exfiltration to known C2 destinations, such as wetransfers\[.\]io.