TerraStealerV2

TerraStealerV2 is a Windows credential and data stealer attributed by Recorded Future Insikt Group to the financially motivated Golden Chickens threat actor, also known as Venom Spider/TA4557, and observed between January and April 2025. It is designed to collect browser credentials, cryptocurrency wallet data, and browser extension information. Reporting states it targets Google Chrome’s "Login Data" database, copies it to C:\ProgramData\Temp\LoginData, and queries it with SQLite using "SELECT origin_url, username_value, password_value FROM logins." It also collects host information via GetUserNameA and GetComputerNameA, attempts to determine the victim IP address via ifconfig[.]me, enumerates processes, looks for chrome.exe, and may terminate it to release database locks. The malware copies targeted wallet and extension directories into %LOCALAPPDATA%\Packages\Bay0NsQIzx, compresses the contents into output.zip, and writes exfiltration data/messages to C:\ProgramData\file.txt with a copy at %LOCALAPPDATA%\Packages\Bay0NsQIzx\p.txt.

TerraStealerV2 has been distributed in multiple formats including LNK, MSI, DLL, and EXE, but the stealer payload is intended to be delivered as an OCX file and executed via regsvr32.exe calling DllRegisterServer. Observed delivery chains retrieved the OCX from wetransfers[.]io/v.php using curl or PowerShell, and some activity overlapped with ClickFix-style tradecraft, including mshta.exe execution of a payload disguised as an MP4. The malware performs anti-analysis checks, including verifying the .ocx extension, a hard-coded filename ending, and that it is being executed by regsvr32.exe. Strings are deobfuscated with an XOR routine using a hard-coded key. It leverages trusted Windows utilities such as regsvr32.exe and mshta.exe for execution and evasion.

Exfiltration was observed to Telegram, including an initial victim-information message to a Telegram channel named "Noterdam" using a bot token associated with "NoterdanssBot," and to the domain wetransfers[.]io, including uploads to wetransfers[.]io/uplo.php. The domain wetransfers[.]io was reported as registered on February 18, 2025 via NameCheap and hosted behind Cloudflare. Additional reported indicators and artifacts include ifconfig[.]me, wetransfers[.]io, C:\ProgramData\Temp\LoginData, C:\ProgramData\file.txt, %LOCALAPPDATA%\Packages\Bay0NsQIzx\p.txt, and output.zip. One reported sample had SHA-256 9aed0eda60e4e1138be5d6d8d0280343a3cf6b30d39a704b2d00503261adbe2a, and another sample contained a PDB path referencing "NOK.pdb."

The reporting notes TerraStealerV2 does not bypass Chrome Application Bound Encryption (ABE) protections introduced after July 2024, limiting its ability to decrypt passwords on updated systems and suggesting the malware is immature, outdated, or still under active development. High-confidence reporting directly describes its theft focus as browser credentials, cryptocurrency wallet data, and browser extension information.