TerraLogger
TerraLogger is a standalone Windows keylogger malware family attributed to the Golden Chickens malware-as-a-service ecosystem, also known as Venom Spider/TA4557. It was reported by Recorded Future Insikt Group and observed in samples uploaded in early 2025, with activity and sample compilation timestamps spanning January to April 2025. The malware is described as Venom Spider’s first observed keylogging capability and appears to be under active development.
Its core functionality is keystroke capture via a low-level keyboard hook implemented with SetWindowsHookExA using WH_KEYBOARD_LL. TerraLogger records keystrokes locally to files under C:\ProgramData, including filenames such as a.txt and save.txt, and reporting also notes detections based on specific file creation events. It records window titles along with keystrokes, including handling of special characters and Shift key states, and may represent special keys using formats such as <KEY-[keycode]> or pipe-delimited abbreviations like |bck|. One mention also describes clipboard monitoring, but the strongest repeated reporting consistently characterizes it as a keylogger focused on keystroke logging to local files.
TerraLogger does not include built-in data exfiltration or command-and-control functionality in the reported samples, which suggests either early-stage development or intended modular use alongside other Golden Chickens components. It has been described as a standalone module and as less mature than established Golden Chickens tooling such as TerraLoader and VenomLNK.
Delivery and execution details in the reporting indicate TerraLogger is propagated as an OCX payload and executed via regsvr32.exe, consistent with Golden Chickens tradecraft. Related reporting states the newer Golden Chickens families employ evasion techniques including execution via trusted Windows utilities such as regsvr32.exe, and in broader campaign context Golden Chickens has also used mshta.exe. TerraLogger samples showed minor updates over time, including changes to log file paths and special-key representations.
The malware is associated with the financially motivated Golden Chickens/Venom Spider MaaS operation, whose tooling has been used by groups including FIN6, Cobalt Group, and Evilnum. High-confidence indicators and artifacts directly mentioned for TerraLogger include use of SetWindowsHookExA with WH_KEYBOARD_LL, local log storage in C:\ProgramData, filenames such as a.txt and save.txt, OCX-based delivery, and execution via regsvr32.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Unlike its data-sucking counterpart TerraStealerV2, TerraLogger takes a simpler... approach by capturing keystrokes..."
"D. TerraLogger Keylogger designed to monitor user keystrokes and clipboard activity."
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMultiple entries describe malicious packages (npm/PyPI/Go modules) used to drop payloads, backdoor software, steal credentials/keys, or wipe disks.
IOCs tracked for this family
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Second malware family attributed to Golden Chickens; functionality not described in the excerpt.
Keylogger module associated with Golden Chickens; captures keystrokes and is likely used as a component within a broader toolset (no exfil mechanism noted).
A Golden Chickens-associated malware component detected via file-creation artifacts (per the described detection rule).
Standalone keylogger module using a low-level keyboard hook (SetWindowsHookExA) to capture keystrokes and write logs (e.g., a.txt/save.txt) under C:\ProgramData; delivered as an OCX executed via regsvr32.exe; no exfiltration/C2 observed in described samples, suggesting early-stage or modular use.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.