Golden Chickens Deploy TerraStealerV2 and TerraLogger in Credential Theft Surge

Threat Group: Golden Chickens (aka Venom Spider)
Threat Type: Malware-as-a-Service (MaaS)
Exploited Vulnerabilities: Social engineering via spear-phishing and LOLBins
Malware Used: TerraStealerV2, TerraLogger, TerraLoader
Threat Score: 🟠 Elevated (6.5/10) – Due to its credential-harvesting capabilities, stealth techniques, and deployment through widely used social engineering tactics.
Last Threat Observation: May 3l 2025

Overview

Golden Chickens (also known as Venom Spider) has expanded its malware arsenal with two new tools offered via its Malware-as-a-Service (MaaS) platform: TerraStealerV2 and TerraLogger. These tools have been observed in recent spear-phishing campaigns targeting professionals in HR, finance, and engineering, often impersonating job applicants.

TerraStealerV2 (aka SONE or Stealer One) is an evolution of the group’s previous credential-stealing malware, now improved with stealthier loading methods and broader data collection. TerraLogger complements this by logging keystrokes and monitoring user activity, capturing credentials not stored in applications.

Both payloads are deployed via TerraLoader, a flexible loader leveraging LOLBins to evade detection, and may be part of a broader infection strategy that includes additional modules.

Key Details

Delivery Method: Spear-phishing emails with ZIP or ISO attachments containing malicious LNK files, disguised as resumes or business inquiries.

Target: Enterprises in finance, HR/recruitment, and engineering sectors across North America and Europe.

Functions:

• TerraStealerV2:
  • Extracts credentials from browsers, FTP clients, email software, and crypto wallets.
  • Collects browser extension data and screenshots.
  • Uses environment checks to evade sandboxes.
• TerraLogger:
  • Captures keystrokes in real-time.
  • Tracks window titles and clipboard contents.
  • Sends logs to attacker-controlled C2 servers.
• TerraLoader:
  • Uses LOLBins (e.g., regsvr32.exe, ie4uinit.exe, odbcconf.exe) for stealthy execution.
  • Supports plugin-style modular loading.

Obfuscation: Highly obfuscated code, sandbox evasion routines, dynamic execution via native system utilities, and minimal disk footprint.

Attack Vectors

The malware typically arrives via tailored phishing emails impersonating job seekers. The emails contain ZIP or ISO files housing LNK shortcuts that, when launched, execute hidden PowerShell or JavaScript payloads via native Windows LOLBins. These techniques reduce AV visibility and hinder sandbox analysis.

Once executed, TerraLoader installs either TerraStealerV2 or TerraLogger. The payloads establish C2 communication over HTTPS and exfiltrate harvested data in compressed formats. Modular support allows the attacker to deploy additional backdoors or ransomware at a later stage.

Known Indicators of Compromise (IoCs)

FileHash-MD5

• 2987519e3bdab15c51a1e9489ed42daa
• 40ba7afd12cbb907c004cd8629120846
• 51dab940b8a53f27586a707eda07e2e9
• 55db74d76184ca9be1284939b37d41b8
• 675f1b648b3e8810a4a32fe32546490b
• 93b99539a720ff7bc27eaef677d29c9a
• 963bdcbb6ff1bc2e844c7717aa86f105
• c62c1a1a3c66fb83390ece675ab76dd2
• e593ecc531f762646d595d6a791a786b
• 579b4e8f3f1d1ac2b24ad60155a2f355
• c9cfa1834bd8aaf5cc43672c4adfbcee
• d2d40a4a4c3634dc598048a8939c736b

FileHash-SHA1

• 26f5c529a1d05b0af5951f9f3d4c26bffbf512d2
• 52b67734bf5c1b562ea0092f0c8b3390126004ec
• 55b939abe9f03345c71f54ebe9a5f206bb64bc49
• 58251e0ffb2bf31e8b10daa8d5c6c95c260e1c01
• 5ededd37f09409187945a9a7363d03a1c75436cb
• 63d403abaca8a375055cfb2f314a003459a15bdf
• 889c21416eb3c8f7b9537a7f579e101fc7583468
• b5564229bdbe777deeefd3bdf78ea334b0e09695
• e334abbe5d8b09c1bdbe69726498e61e29a3474c
• 2ad0e9a40692be5a80b2065f85285a2ca3f1fd8f
• 5eb945a7968181ff8c93dfb059b51a87c21443a3
• ccd06a9a07fdf919160b5ee49ac055f8770110c4

FileHash-SHA256

• 067421234fdd631628569bd86b6757ce4c78139c3609493c92db7b096b0c22f4
• 14d9d56bc4c17a971a9d69b41a4663ab7eb2ca5b52d860f9613823101f072c31
• 151a83f0b54d23d84fb152ee34c4344801da937d03cc354ab8a149d64b8247b3
• 1ed9368d5ac629fa2e7e81516e4520f02eb970d010d3087e902cd4f2e35b1752
• 313203cb71acd29e6cc542bf57f0e90ce9e9456e2483a20418c8f17b7afe0b57
• 315e0c9f0dbfa662327c57a570bcafc79b1ba816deb9647fd8da5dc6dc1e8808
• 4b6fa036aceb1e2149848ff46c4e1a6a89eee3b7d59769634ce9127fdaa96234
• 58b324d37bbf6d706b0fe5dbb8bca92d9628a9c394ca81121cea1690a16a3afa
• 63fb3ed0aba87917847ad256c4e89f7b250adc6e2eac74023bb52e091ab0ef97
• 766690a09ec97e414e732d16b99b19389a91835abc15684cc0f1aba2ca93cf98
• 81117772d2b1997f4e280c3add3b56c128444ba05ec4eaaf2293ef8ff1c76257
• 828eee78537e49b46e34a754306ccf67f6281b77e5caeaf53132a32b6b708e5c
• 852879a9832cd13cbc9510503abf9b0906bb5e08e5ffae74381aaca3c502d826
• 9aed0eda60e4e1138be5d6d8d0280343a3cf6b30d39a704b2d00503261adbe2a
• a2f7d83ddbe0aeba5f5113a8adf2011dc1a7393fa4fe123e74a17dbc2a702b13
• d6246e4f0425b38a26298b7840729e677c4d16f084a005c46fad4904637e726a
• de6ed44d21e5bc9bc5c1c51f33760a5d96378308d02c2c81ef2d75e7a201fb63
• f06097b6f4bf86ad00c8f7115d538823a73e531b0f06b66f63f9c70e47f4ea98
• 2e00a9b454036f4862c37b929b2b34cef48b6543e4e752452034d63d1f6b1bb7
• 2ff81bc5669dea0c03df138d5331dbcc862a76f628738c614ec85eaad7cf93bb
• 6fc1680c4fe746cd8fce5e341b59948610e7eb1477b5ed31ab1ac812b89f5fa0
• 77be5500892fee02b79e58782dbb213e952d2c4badbb2ab862f3f4d304ec9b4e
• 7cf4c36cdd95bf84705134ab9d18f165c6c02cd1a0f34a86b1ede9f57c7490d6
• 8b48777f4434876afd1a7fcf0f7bf902a1d77fff84f04fcfefc18249603c49ad
• 93ca6b9ead4c853264050163a3748079031fe41dd7b5d82d2849ab22de0ee0b4
• 952290bd202d9691567779703b92a673996fe1cbdb510a7a9d1310f222820be3
• 9f4c835cf2089a127d9e3fa4c6bbeef7e6e580bb8b78ddd50d16bb03d25a72e9
• af2a653c8053e41f22646697d5d7fe9773f5759c7a89c90fd2ee65785126f098
• b35a4c37ada19d7568ca99516b8ef0afee6941543259af293aee7417b2e94a19
• c224fbb41b85613ba75d5c1cc25a538941595a9f747815f11c94cb1e50827239
• ce33b8960d48ca6ccd1e0edcc639b2766fd97b83aec0163482d73df360b8c806
• d6e26759b43a21637a7e674b844dc51c8041a904d94f348aa5b868e8f7952267
• e50ecd3d2d4234d043337baee105d8f7e2def5efa58f999f90fe033f8022c345
• e78602ca9b6c72d9dd18045a95a51240fb65b22d9594380d589c1f055b37d1fe
• ec8e486e03144d41d36b170d6e2eb95a19e402d1099ce5ae666ff7bc4dfc3ab4
• f27c0b55eabcfa7f739c854e8b1c74051bf03bcb9cfcf0b6726e6870435a6a4e

Domain

• 20[.]ifconfig[.]me
• 2f[.]ifconfig[.]me
• wetransfers[.]io

Note: These IoCs must be verified against internal telemetry and endpoint logs before action. Always tailor detection rules to your environment.

Mitigation and Prevention

User Awareness:

• Conduct simulations and anti-phishing training, especially targeting HR and finance staff.

Email Filtering:

• Enable attachment scanning, macro blocking, and sandbox detonation for attachments.

Antivirus Protection:

• Deploy EDR/AV solutions with behaviour-based detection capable of identifying LOLBin abuse and modular loaders.

Two-Factor Authentication (2FA):

• Enforce across all internet-facing services and sensitive internal systems.

Monitor Logs:

• Audit for suspicious process chains (e.g., explorer.exe spawning regsvr32.exe or PowerShell).

Regular Updates:

• Patch browsers, Office applications, and Windows to limit exploit opportunities.

Risk Assessment

Golden Chickens continues to evolve its MaaS toolkit with advanced evasion, modularity, and credential-harvesting precision. TerraStealerV2 and TerraLogger elevate their threat profile with multi-vector data theft and stealthy deployment techniques.

Organizations that handle large volumes of resumes, interact with external contractors, or operate in financial and infrastructure sectors should consider these tools as a priority detection target. Failure to detect such threats early may result in credential leakage, lateral movement, and ransomware deployment.

Threat Score: 🟠 Elevated (6.5/10)

Conclusion

Golden Chickens' new malware families reinforce the trend of MaaS operators offering specialized payloads to streamline initial access and data theft. With spear-phishing as their primary vector and LOLBins enabling stealthy execution, TerraStealerV2 and TerraLogger represent a rising threat.

SOC teams should update threat models to include Golden Chickens' evolving tactics and tune detection rules for LNK-based phishing, LOLBin chains, and credential access anomalies. Continued intelligence sharing and layered defenses will be critical to defending against these adaptable adversaries.

Sources:

Sources:

• CyberNews – Golden Chickens Are Creating A New Malware To Steal Passwords – https://cybernews.com/security/golden-chickens-new-malware-steal-passwords/
• Zscaler – Unveiling RevC2 and Venom Loader – https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-loader
• QuoIntelligence – The Chicken Keeps Laying New Eggs – https://quointelligence.eu/2020/01/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors/
• OTX AlienVault - Indicators of Compromise - https://otx.alienvault.com/pulse/6813dfdaee3591d85df91491