A notorious hacker group known as Golden Chickens is back in the spotlight after cybersecurity researchers discovered two new digital weapons designed to steal passwords, watch every word you type, and target your cryptocurrency.
Cybersecurity analysts at Recorded Future’s Insikt Group have identified the fresh threats as TerraStealerV2 and TerraLogger, two malware strains believed to be the latest additions to Golden Chickens’ growing Malware-as-a-Service (MaaS) arsenal.
Targeting your browser and wallet
According to a recent report, the malware strains were observed in the wild between January and April 2025 and show signs of being under active development. The discovery points to Golden Chickens’ ongoing efforts to expand their cyberweapon arsenal, particularly for stealing credentials and logging keystrokes.
“TerraStealerV2 is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information,” Recorded Future Insikt Group said in its technical breakdown. “TerraLogger, by contrast, is a standalone keylogger. It uses a common low-level keyboard hook to record keystrokes and writes the logs to local files.”
TerraStealerV2 specifically targets data stored in the Chrome browser, especially the “Login Data” file containing saved credentials. It tries to extract usernames and passwords using a bundled SQLite tool and sends that data to Telegram and a shady domain, wetransfers[.]io.
However, there’s a twist: the malware can’t crack Chrome’s newer security protections, Application Bound Encryption (ABE), which were introduced after July 2024. Researchers say this limitation suggests that TerraStealerV2 is either outdated or still a work in progress.
Despite that, the stealer has been spotted being delivered in various formats (EXE, DLL, MSI, and LNK) and hides its tracks using legitimate Windows tools like regsvr32.exe and mshta.exe.
A new logger on the block
TerraLogger, the second tool identified, is Golden Chickens’ first publicly documented attempt at keylogging. It operates more simply: once installed, it captures whatever the victim types on their keyboard and saves the logs into plain text files like a.txt or op.txt in the system’s ProgramData folder.
But unlike most modern malware, TerraLogger doesn’t send the stolen data anywhere — at least not yet. It lacks any command-and-control feature, meaning it might still be in early development or meant to work alongside other malware from the Golden Chickens toolkit.
A familiar name behind major hacks
Golden Chickens has been active since at least 2018. It is known to supply malware to some of the most prolific cybercrime groups, including FIN6, Cobalt Group, and Evilnum, names tied to attacks on British Airways, Ticketmaster UK, and other major companies.
Researchers have also linked Golden Chickens to an online persona named badbullzvenom, reportedly operated by individuals based in Moldova and Montreal, Canada.
The group’s malware suite is modular and stealthy, with known components like:
- VenomLNK: a shortcut-based infection launcher.
- TerraLoader: a malware loader.
- TerraCrypt: ransomware.
- TerraTV: used to hijack TeamViewer sessions.
- TerraRecon and TerraWiper: for spying and data wiping.
The newly discovered TerraStealerV2 and TerraLogger appear to be the latest additions to this expanding toolkit.
A wake-up call
While both malware families are still being refined, experts warn that this is only the beginning.
“Given Golden Chickens’ history of developing malware for credential theft and access operations, these capabilities will likely continue to evolve,” the report warned.
Security researchers are urging organizations to stay alert, especially as cybercrime groups continue to roll out new and updated tools. Users are also advised to update browsers, use strong and unique passwords, and avoid opening unknown files, especially those received through unexpected emails or messages.
