Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious financially motivated threat actor Golden Chickens, also known as Venom Spider.

Active between January and April 2025, these tools signal a persistent evolution in the group’s Malware-as-a-Service (MaaS) platform, which has long been exploited by elite cybercrime syndicates like FIN6, Cobalt Group, and Evilnum.

Golden Chickens, linked to high-profile attacks on entities such as British Airways and Ticketmaster UK, continues to refine its arsenal with a focus on credential theft and keylogging, posing a severe risk to organizations worldwide.

Technical Breakdown: Capabilities and Limitations

TerraStealerV2 emerges as a sophisticated stealer targeting browser credentials, cryptocurrency wallet data, and browser extension information.

Designed to extract data from Chrome’s “Login Data” database, it attempts to harvest sensitive information by terminating chrome.exe processes to bypass file locks and copying data to temporary locations like C:\ProgramData\Temp\LoginData.

However, its inability to decrypt credentials protected by Chrome’s Application Bound Encryption (ABE), introduced in updates post-July 2024, reveals a critical flaw-either the code is outdated or still under active development.

Despite this, TerraStealerV2 exfiltrates collected data to Telegram channels and a secondary command-and-control (C2) endpoint at wetransfers[.]io, using a combination of structured notifications and compressed archives like output.zip.

Its distribution is equally concerning, leveraging diverse formats such as LNK, MSI, DLL, and EXE files, often executed via trusted Windows utilities like regsvr32.exe and mshta.exe to evade detection.

Insikt Group identified ten distinct samples between January and March 2025, underscoring the malware’s aggressive spread through social engineering tactics like spearphishing with fake job offers.

In parallel, TerraLogger introduces a standalone keylogging capability to Golden Chickens’ toolkit-the first of its kind observed from this group.

Using a low-level WH_KEYBOARD_LL hook via SetWindowsHookExA, it captures keystrokes and logs them to local files in paths like C:\ProgramData\save.txt or C:\ProgramData\a.txt.

While it meticulously records window titles and special characters, handling nuances like Shift key states, TerraLogger lacks data exfiltration or C2 communication features, suggesting it may be a modular component in early development.

Five samples, compiled between January and April 2025, show incremental updates, indicating active refinement by the threat actor believed to operate under aliases like badbullzvenom, with ties to Moldova and Montreal, Canada.

The current state of both malware families hints at ongoing maturation within Golden Chickens’ ecosystem, which already includes tools like VenomLNK, TerraLoader, and TerraCrypt.

Their history of causing damages exceeding $1.5 billion globally through collaborating groups amplifies the urgency of this threat.

While TerraStealerV2’s limitations around ABE protections offer a temporary reprieve, its persistent distribution methods and TerraLogger’s potential integration into broader campaigns signal looming dangers.

Organizations must prioritize robust mitigation strategies, focusing on detecting malicious file executions and monitoring unusual network traffic to domains like wetransfers[.]io, to safeguard against these evolving cyber threats.