Golden Chickens Terra Stealer V2 Malware Detection
Query
// https://www.recordedfuture.com/research/terrastealerv2-and-terralogger
// 🤣 Golden Chickens 🤣
// TerraStealerV2 Malware Detection
//
let QueryPeriod = 1d;
let MonitorExtension = dynamic([".lnk", ".exe", ".dll", ".msi"]);
let EPwithLowFP =
DeviceFileEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == @"FileCreated"
| where FileName has_any (MonitorExtension)
| invoke FileProfile("SHA1", 500)
| where GlobalPrevalence < 5
| distinct DeviceName;
DeviceNetworkEvents
| where Timestamp > ago(QueryPeriod)
| where ActionType == "ConnectionSuccess" and RemoteUrl == "wetransfers.io"
| where DeviceName has_any (EPwithLowFP)Explanation
This KQL (Kusto Query Language) query is designed to detect potential malware activity related to the TerraStealerV2 malware, which is associated with the "Golden Chickens" group. Here's a simple breakdown of what the query does:
-
Define the Time Period: The query looks at events that occurred within the last day (
1d). -
Monitor Specific File Extensions: It focuses on files with certain extensions that are commonly associated with executables or installers, such as
.lnk,.exe,.dll, and.msi. -
Identify Low Prevalence Files:
- It examines file creation events (
FileCreated) on devices. - It filters these events to include only those files with the specified extensions.
- It uses a function (
FileProfile) to check the SHA1 hash of these files and filters out those with a global prevalence of less than 5, indicating they are rare and potentially suspicious. - It collects a list of device names where these rare files were created.
- It examines file creation events (
-
Monitor Network Connections:
- It looks at network connection events (
ConnectionSuccess) within the same time frame. - It specifically checks for connections to the URL "wetransfers.io", which might be associated with malicious activity.
- It further filters these events to include only those from devices identified in the previous step (devices with low-prevalence files).
- It looks at network connection events (
In summary, the query is designed to identify devices that have created rare and potentially suspicious files and then checks if those devices have made network connections to a specific URL that could be linked to malicious activity.
Details

Steven Lim
Released: May 6, 2025
Tables
Keywords
Operators