Golden Chickens Deploy TerraStealerV2 to Steal Browser Credentials and Crypto Wallet

Credited by Freepik

VTA-004516 – Golden Chickens Deploy TerraStealerV2 to Steal Browser Credentials and Crypto Wallet

A recent campaign led by the financially motivated group Golden Chickens (aka Venom Spider) has introduced two new malware strains: TerraStealerV2 and TerraLogger. These tools are distributed under a Malware-as-a-Service (MaaS) model and aim to compromise systems through phishing lures, often disguised as job resumes or API documentation. Payloads are embedded in .LNK, .DLL, and .EXE formats and delivered via deceptive file-sharing platforms.

Once executed, TerraStealerV2 targets browser credentials, crypto wallets, and extension data, using Telegram bots and malicious domains like wetransfers[.]io for exfiltration. Meanwhile, TerraLogger acts as a standalone keylogger. Although these tools show signs of ongoing development, their current capabilities are already significant, including credential theft, input capture, and system reconnaissance.

Organizations should adopt a layered security approach — combining endpoint detection, user education, LOLBin monitoring, and domain blocking — to effectively defend against these threats.

Severity:
Medium

Attack Surface:
Endpoint, Messaging, Others, Web Browser

Tactics:
Collection, Credential Access, Execution, Exfiltration, Initial Access

Techniques:
T1134 – Access Token Manipulation
T1204 – User Execution
T1176 – Browser Extensions
T1547 – Boot or Logon Autostart Execution
T1056 – Input Capture

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/682648dddc2986728fb664a2

References:
1. https://www.recordedfuture.com/research/terrastealerv2-and-terralogger

SuperPRO’s Threat Countermeasures Procedures:
1. Block or monitor outbound communications to malicious C2 domains.
2. Alert on unusual usage of living-off-the-land binaries (LOLBins) such as regsvr32.exe, wmic.exe, mshta.exe, and PowerShell.
3. Educate users to avoid opening suspicious .LNK, .DLL, or .EXE files, especially those disguised as resumes or documentation.
4. Audit Chrome’s Login Data SQLite databases for unauthorized access attempts and browser extension directory changes.
5. Maintain updated endpoint protection capable of detecting emerging malware strains such as TerraStealerV2 and TerraLogger.
6. Conduct regular security audits of crypto wallet extensions and browser credentials storage.
7. Monitor file creation in locations such as:
C:\ProgramData\file.txt
%LOCALAPPDATA%\Packages\Bay0NsQIzx\p.txt

Contributed by: Anas