TerraTV
TerraTV is a malware variant associated with the Evilnum threat group and referenced as part of the broader Golden Chickens/Venom Spider malware ecosystem. In the provided reporting, TerraTV is used post-compromise to abuse legitimate TeamViewer software for remote access to victim machines. Specifically, Evilnum used TerraTV to run a legitimate TeamViewer application to connect to compromised systems and to load a malicious DLL from the TeamViewer directory instead of the legitimate Windows DLL from a system folder, indicating DLL hijacking/side-loading behavior. TerraTV is described alongside other Evilnum/Golden Chickens tooling such as More_eggs, TerraPreter, TerraStealer, TerraCrypt, TerraRecon, TerraWiper, RevC2, VenomLNK, TerraLoader, and Venom Loader. The activity is tied to Evilnum campaigns targeting FinTech companies in the UK and EU, with initial access in related reporting achieved through spearphishing lures themed around KYC documents, malicious links, ZIP archives, and LNK files. High-confidence behavior directly stated for TerraTV is TeamViewer hijacking/abuse for remote access and malicious DLL loading from the TeamViewer directory.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Among the tools used by the Evilnum group are More_eggs, TerraPreter, TerraStealer, and TerraTV.
These modules include TerraStealer for credential harvesting, TerraTV for TeamViewer hijacking, and TerraCrypt for ransomware deployment.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Lateral Movement
1 technique
Lateral Movement
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
"Related Families: VenomLNK, TerraLoader, TerraStealer, TerraTV, TerraCrypt, TerraRecon, TerraWiper, lite_more_eggs, RevC2, Venom Loader"
Golden Chickens module used for TeamViewer hijacking to facilitate remote access/control.
A named malware/tool in the Golden Chickens ecosystem that the content states was used by Evilnum.
A malware variant associated with Evilnum that performs DLL sideloading via the TeamViewer directory and facilitates remote access by launching legitimate TeamViewer on compromised hosts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.