Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Identify Developer of ‘Golden Chickens’ Malware Suite

Researchers have identified the developer of Golden Chickens, a piece of malware used by financially-motivated hacking groups Cobalt Group, Evilnum, and FIN6.

Esentire security researchers claim to have identified the developer of Golden Chickens, a malware suite used by the financially-motivated Cobalt Group, Evilnum, and FIN6 cybercrime groups.

Offered under the malware-as-a-service (MaaS) model since 2018, Golden Chickens is referred to as the ‘cyber weapon of choice’ for the three hacking groups, which have caused estimated financial losses of more than $1.5 billion.

Esentire’s investigation into the Golden Chickens malware (which is operated by a threat actor tracked as Venom Spider), uncovered a connection with the username ‘Badbullzvenom’, and an individual who is referred to as ‘Frapstar’ and ‘Chuck from Montreal’.

Apparently from Moldova, Badbullzvenom speaks Romanian, French, and English, and claims to be working with Cobalt Gang. Chuck, on the other hand, appears to live in Canada, speaks French, and is interested in buying stolen Canadian credit card accounts.

Both Badbullzvenom and Chuck (who uses multiple aliases on forums, social media, and communication platforms) have gone to great lengths to hide their identities and to keep Golden Chickens off the radar, using obfuscation and only allowing it to be used in targeted attacks.

Despite that, however, Esentire believes it has discovered Chuck’s real name and his home address, while also uncovering information such as the names of his family and friends, his social media accounts, and the fact that he owns a small business and a BMW 5 Series car.

Usernames associated with Chuck include Badbullzvenom, Badbullz, Frapstar, Ksensei21, and E39_Frap* (such as E39_Frapstar). The Badbullzvenom account, Esentire notes, appears to be used both by Chuck and his partner, possibly from Moldova or Romania.

The account can be traced back to 2013, when the individual behind it was a novice cybercriminal, or ‘script kiddie’. By 2016, the individual had accumulated enough expertise to build his first cyber tool, which he sold to two miscreants.

Between 2017 and 2019, he started offering a malicious document builder known as ‘VenomKit’, which he constantly updated with new Office exploits. In 2018 and 2019, Cobalt Group and FIN6 started using the builder in attacks.

Working their way through leaked user databases of hacking forums, the security researchers identified an old Myspace account and a Montreal Racing forum account using the same email address ‘[email protected]’, and a Pinterest account for ‘Dee Inconegro’, which has a board named ‘Bad Bullz’.

The researchers also discovered a Facebook account using the Dee Inconegro name, which shares multiple friends with the account ‘Chuck Larock’, seemingly another account operated by the same threat actor.

Using a comment of one of Chuck Larock’s friends as a starting point, the researchers discovered the individual’s real name and linked it to a small business operated from a residential address in Montreal, and with an email address used for another account on the Montreal Racing forums.

The individual also appears associated with the Montreal 67s, a Haitian street gang.

The Golden Chickens malware suite developed by Chuck and his partner consists of components such as the More_eggs backdoor, the VenomLNK initial access LNK file that executes the TerraLoader loader, the TerraRecon reconnaissance tool, the TerraStealer credential stealer, the TerraTV lateral movement utility, the TerraPreter meterpreter shell, and the TerraCrypt ransomware.

In recent campaigns distributing Golden Chickens, which continues to be actively developed, ecommerce companies have been targeted via employee recruitment processes (including LinkedIn, Indeed, and the recruitment page on the victim’s own website).

Related: New Infostealer Malware ‘Erbium’ Offered as MaaS for Thousands of Dollars

Related: North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.