TerraLoader
TerraLoader is a malware loader associated with the financially motivated Venom Spider / Golden Chickens malware-as-a-service ecosystem. It is described as an advanced loader used to deliver custom payloads and additional Golden Chickens malware, with reported support for fileless execution techniques and DLL sideloading. Reporting also states that VenomLNK can execute TerraLoader as a loader module responsible for deploying further Golden Chickens tooling, and that TerraLoader has been used to install the More_eggs backdoor. Code similarities have also been noted between TerraLoader and later JavaScript payloads used in Venom Spider intrusion chains.
TerraLoader has additionally been observed in Evilnum activity, where a component called TerraLoader was used to collect hardware and file information to detect sandboxed environments, indicating anti-analysis and virtualization/sandbox evasion functionality. Across the provided reporting, TerraLoader is consistently positioned as a mature, established Golden Chickens loader compared with newer families such as TerraStealerV2 and TerraLogger. Associated actors and users mentioned in the content include Venom Spider / Golden Chickens and Evilnum. High-confidence behaviors directly mentioned in the content include payload delivery, deployment of additional malware, fileless attack support, DLL sideloading, installation of More_eggs, and sandbox-environment checks based on hardware and file information.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor.
"B. TerraLoader Advanced malware loader designed to deliver custom payloads. Can execute fileless attacks... including DLL sideloading."
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
"...their current limitations indicate immaturity compared to established tools like TerraLoader or VenomLNK."
Payload loader used to deliver custom secondary malware; supports fileless execution and stealth techniques such as DLL sideloading to reduce AV detection.
Loader tool attributed to Golden Chickens (no additional functional details provided in the content).
A loader associated with Venom Spider whose JavaScript code is described as similar to the More_eggs JavaScript payload; the actor reportedly improved this loader with additional string obfuscation and code encryption.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.