GC01 (Golden Chickens): Inside the Arsenal of a Premier E-Crime MaaS Provider

Introduction

Global Cyber Security Forum Statement by Global Cyber Security Forum: Cyber Threat Intelligence is a complex landscape and misattributing cyber threat intelligence can lead defenders to pursue incorrect paths. For example, GC01 also known as Golden Chickens has been misattributed in past reports as “an actor in the domain of cyber espionage and having a close relationship with the Iranian cyber espionage community targeting government, military, and diplomacy within the Middle Eastern region. ” The facts and reality are much different, and arguably much more of a global threat to the corporate world at large.

GC01 has been tracked as Golden Chickens or Venom Spider by researchers across security verticals and is not a state-sponsored advanced persistent threat (APT), rather it is a sophisticated, financially motivated e-crime actor. As an elite Malware-as-a-Service (MaaS) organization, Golden Chickens is supplying customized, stealthy cyber weapons to some of the most dangerous Russian speaking cybercrime gangs in the world including FIN6, Cobalt Group and Evilnum. Instead of committing espionage on behalf of a nation-state, Golden Chickens has created an entire underground market to facilitate large-scale financial heists and compromise enterprise networks worldwide.

Identity and Motivation

The Golden Chicken’s business model is all about maximizing financial profit and serves as an “arms dealer” within the cybercrime world. They do not usually carry out end-point attacks, such as deploying ransomware or draining bank accounts; rather, they develop, support, and lease (to or for other actors) malware and Command and Control (C2) facilities via subscription agreements. Golden Chickens’ primary operators, known online as “badbullzvenom” have been identified via extensive tracking of dark web discussion groups and ASN (Attack Surface Network) or operational security vulnerabilities. This operation is believed to be run by those residing in Montreal, Canada, and Romania/Moldova.

Their motives behind performing these acts are entirely commercial:

• Monetization of Access: Selling very evasive malware products to the top cybercriminals, provided via lease pricing schemes.
• Enabling Financial Theft: Providing initial access to, and tools for harvesting credentials for, groups targeting the financial, retail and eCommerce industries.
• Underground Reputation: Maintaining anonymity while serving as a trusted exclusive supplier/vendor of sophisticated malware products and services to sophisticated criminal organization.

TTPs: Methods, Tools, and Access Strategies

Golden Chickens do not utilize exploits against zero day vulnerabilities on edge devices to carry out their malicious designs. Instead, they utilize very specialized social engineering methods that are psychologically targeted, as well as “Living Off The Land” (LotL) techniques.

Initial Access: The Human Resources Vector

Spear-phishing is the primary technique employed by this group to conduct attacks against employees who are members of HR departments, recruiters and hiring managers; HR staff are excellent candidates for these types of attacks since they routinely receive emails containing attachments from external senders.

Examples of spear-phishing include fake resumes or applications that appear like they are being submitted for job openings with the target company – this type of email is designed to look real and references specific, legitimate job postings.

Engagement via LinkedIn would occur prior to the attacker sending a payload through a legitimate professional networking site.

The use of malicious shortcut files (.LNK) as opposed to using traditional macro-enabled Office documents has been observed by the Golden Chickens group.

Persistence and Evasion

Once a user clicks on an infected attachment, Golden Chickens will continue their infection through an elaborate infection chain designed to evade traditional antivirus and EDR solutions.

• Fileless Execution: The Golden Chickens group is known for leveraging both WMI and PowerShell to execute code directly in memory, leaving minimal forensic footprints on physical disks.
• Process Injection: Using process injection, the malicious payloads are injected into trusted Windows processes therefore obfuscating their presence.

The Golden Chickens Arsenal (Malware & Tools)

The Golden Chickens Group offers MaaS (Malware as a Service), which includes a modular toolset that has evolved from 2018-2025.

1. VenomLNK and TerraLoader

VenomLNK is a maliciously constructed shortcut file that when executed will initiate the execution of TerraLoader, a sophisticated dropper. TerraLoader’s main purpose is to bypass security measures in place, establish persistence, and download subsequent stage(s) of the malware from the Golden Chickens Command and Control servers.

2. more_eggs (The Flagship Backdoor)

more_eggs (Primary Backdoor): The more_eggs backdoor is the flagship product of the Golden Chickens Group. This backdoor is difficult for defenders to detect as it is a JavaScript-based solution and runs on legitimate Windows binaries (i.e. wscript.exe, cscript.exe), making it appear to be generic administrative actions.

• Stealth: Because this backdoor is written in JavaScript and is executed through legitimate Windows binaries, it can be effectively disguised as legitimate administrative functions.
• Capabilities: more_eggs functions as a downloader and profiler. It will assess the infected system, gather basic credential information from the operating environment, and establish a secure backdoor for the threat actor (the purchaser) to deploy their secondary products (e.g. Cobalt Strike beacons or ransomware).

3. Next-Generation Tools (TerraStealerV2 & TerraLogger)

In 2024-2025, new Intel shows that badbullzvenom continues to expand its Golden Chickens ToolKit via the addition of new, independent and specialized modules.

Ancillary Modules: In addition to the primary IS’s and KLs badbullzvenom has provided a number of ancillary modules or support tools. Examples include: TerraRecon maps of internal networks; TerraWiper – programs that destroy evidence; and TerraTV allows someone to hijack and take control of remote/computer desktop session via TeamViewer.

TerraStealerV2: Terra Stealer V2 is an Information Stealer (IS) that is custom-built to steal / harvest credentials stored in web browsers, session cookies for accessing online accounts, and cryptocurrency wallet data. The use of IS’s demonstrates a shift from traditional access-broker models to the immediate financial monetization of credentials.

TerraLogger: As the first standalone Keylogger the use of Terra Logger demonstrates a new milestone for badbullzvenom by providing the ability to silently record keystrokes (more commonly known as Keylogging) and to obtain sensitive login information before the multi-factor authentication (MFA) has a chance to be activated.

Strategic Impact & Implications

The global security landscape has been massively changed due to Golden Chickens and how easy they make it to obtain access into a network to exploit it. Through their automated tools and low barrier of entry for a cybertrespasser to perform their first breach, the Golden Chickens have enabled a significant increase in the number of cybercriminals who are now able to perpetrate unacceptable acts.

The end result of these experiences, from an organizational perspective, is rarely just data theft. The compromised access is almost always transferred to a third party and exploited; in the following ways:

• Targeted Ransomware Deployment: Golden Chickens are one of the most prominent tools in performing multi-million dollar ransomware attacks.
• Point-of-Sale (POS) Intrusions: An example is FIN6, which used access from Golden Chickens to commit POS software deployment to steal millions of credit card numbers from retail locations and hospitality locations worldwide.
• Corporate Espionage and Extortion: Stolen proprietary corporate information and customer databases through double-extortion techniques.

Conclusion & Defensive Takeaways

Final Summary & Enforcement Recommendations – GC01 (Golden Chickens) is not engaged in political-spy activity, but rather provides cyber services as a full service cyber mercenary operation and as a Service (MaaS) provider. To continue operating successfully, they exploit the human condition (through HR spear phishing) and technology vulnerabilities (through file-less JavaScript & LNK file execution). The first strategy for defence against the ‘Golden Chickens’ toolkit is for organisations to adopt alternative defensive approaches to traditional cybersecurity methodology.

1. Harden HR and Recruitment Defenses:Implement stronger email filtering (e.g. quarantine), which can block external attachments being sent to HR departments, as well as providing specific training to recruiters about the potential risks associated with .LNK files and unsolicited ZIP files.
2. Restrict Script Execution: Use Windows Group Policy to disable the execution of .JS, .JSE, .VBS and .WSF by default.
3. Monitor LotL Binaries: Establish a strict EDR (end-point detection & response) monitoring and ‘threat hunting’ programme that monitors for atypical use of wscript.exe, cscript.exe, PowerShell.exe and WMI commands as the primary vector of the more_eggs backdoor.
4. Block Malicious Shortcuts: Block .LNK files from being created as .LNK files on mail servers and from being passed through Web proxies.

As the cybercrime economy grows, we can expect MaaS service providers such as GC01 will continue to be the fundamental links to the success of global cyber-attacks. Understanding the true purpose, tools and actors that comprise these types of services is the first step towards disrupting their operational capacity.

You can download and review the sheet for all the details!