TerraStealerV2 Malware: The New Weapon of the Golden Chickens Group

The Golden Chickens group (also known as Venom Spider) recently released a new info-stealer malware called TerraStealerV2, designed to steal passwords, browser data, and cryptocurrency wallets. This development in the Golden Chickens' arsenal signals an escalation in cyber threats, as the group is known for sophisticated attacks and malware offered as a service to other criminals. In this article, we will explain in accessible language who the Golden Chickens are, what TerraStealerV2 is and why it is dangerous, who its primary targets are, and what security lessons can be learned from this attack. Finally, we’ll include a call to action for companies and readers on how to protect themselves against such advanced threats.

Golden Chickens – Who They Are and Their Attack History

Golden Chickens is a financially motivated cybercrime group active since at least 2018. They operate using a Malware-as-a-Service (MaaS) model, developing and renting out cyberattack tools to other hackers. One notable example is the More_eggs trojan, a stealth backdoor used in spear-phishing campaigns involving fake job offers on LinkedIn to infect business professionals. Tools developed by Golden Chickens have been used by top-tier criminal groups like Cobalt Group, FIN6, and Evilnum, resulting in global attacks with damages exceeding $1.5 billion.

Over time, their malware portfolio expanded to include lite versions of More_eggs, loaders such as VenomLNK and TerraLoader, and encryption tools like TerraCrypt. The online alias “badbullzvenom” is associated with the group, possibly operated by individuals based in Canada or Eastern Europe. Their resurgence in 2025 with new tools suggests they are continuously refining their tactics to stay ahead of security defenses.

What Is TerraStealerV2 and How Does It Work?

TerraStealerV2 is a newly developed info-stealer malware capable of extracting sensitive information from infected systems. According to Recorded Future Insikt Group, it targets browser credentials (saved usernames and passwords), cryptocurrency wallet data, and browser extension info.

Stealth Techniques and Detection Evasion: TerraStealerV2 uses advanced evasion techniques to remain undetected. It is deployed via OCX files (Microsoft ActiveX controls), executed using Windows’ legitimate utility regsvr32.exe. This allows the malware to run code from external domains without triggering standard antivirus alerts.

TerraStealerV2 checks its execution path, only running malicious code if conditions match its delivery method—an anti-analysis trick to confuse malware researchers. It may also leverage mshta.exe, another legitimate Windows utility, to execute malicious scripts under the guise of normal system activity.

How It Steals Data: TerraStealerV2 specifically targets Google Chrome’s Login Data file, where saved credentials are stored. It forcibly shuts down Chrome processes to unlock the database file, copies it to a temporary location, and attempts to extract passwords. However, due to Google’s Application Bound Encryption (ABE) introduced in July 2024, it cannot decrypt passwords protected by this mechanism, highlighting its current development limitations.

Exfiltration Mechanism: Stolen data is exfiltrated via dual channels—sent both to a command-and-control server disguised under a domain like wetransfers[.]io and to a private Telegram channel used by attackers.

TerraLogger – A New Keylogger Module: Alongside TerraStealerV2, the group introduced TerraLogger, their first keylogger, which captures all keystrokes on the victim’s system. It uses low-level Windows hooks and logs data to a local file, including special characters and active window titles. TerraLogger doesn’t yet transmit data externally, suggesting it’s still in development or intended to be used with other modules.

Main Targets of These Attacks

Golden Chickens and their clients target both organizations and individuals, depending on opportunity and potential gain:

• Organizations: Past campaigns focused on HR departments or recruiters via fake resumes and job offers. Once compromised, attackers could move laterally within corporate networks. Their tools have been linked to major attacks on companies like British Airways and Ticketmaster UK.
• Individuals: Especially those holding digital assets or searching for jobs. TerraStealerV2 targets cryptocurrency wallets and saved browser passwords, making crypto enthusiasts and online banking users high-value targets.

In short, their aim is to monetize stolen data, either by reselling credentials or directly accessing financial accounts.

Security Lessons from the TerraStealerV2 Campaign

Key takeaways for users and businesses:

• Keep software updated: Recent Chrome updates (like ABE) prevented full password theft.
• Beware of phishing: Scrutinize unsolicited job offers or resumes.
• Use strong authentication: Enable 2FA and password managers instead of browser-based storage.
• Monitor system and network activity: Detect unusual use of regsvr32.exe, mshta.exe, or outbound traffic to suspicious domains.
• Limit access privileges: Restrict admin rights and segment internal networks to minimize lateral movement after a breach.

By following these practices, organizations and individuals can significantly reduce the risk posed by modern info-stealers.

Final Thoughts and Call to Action

TerraStealerV2 highlights how advanced and stealthy modern malware has become. The Golden Chickens group continues to evolve, combining social engineering with modular malware and anti-detection techniques. Organizations and individuals must remain vigilant and proactive in defending their digital assets.

If you’re responsible for a company’s security—or simply want to better protect your personal data—don’t wait until it’s too late. Hack & Fix is here to help with professional cybersecurity assessments and protection strategies tailored to threats like TerraStealerV2.

Contact us today and let our experts ensure your systems are resilient against even the most advanced cyber adversaries. In today’s threat landscape, proactive defense is not a luxury—it’s a necessity.