New Torg Grabber Malware Steals from 728 Crypto Wallets
▼ Summary
– Torg Grabber is a rapidly evolving info-stealing malware that targets data from 850 browser extensions, over 700 of which are for cryptocurrency wallets.
– It initially infects systems using the ClickFix technique, which hijacks the clipboard to trick users into running a malicious PowerShell command.
– The malware steals data from a wide range of sources including password managers, two-factor authentication tools, note-taking apps, and various desktop applications.
– It employs advanced evasion techniques like anti-analysis mechanisms, multi-layered obfuscation, and uses Cloudflare infrastructure for secure data exfiltration.
– Researchers note its development is active, with new command-and-control servers registered weekly and an expanding operator base.
A rapidly evolving strain of malware is demonstrating the severe risks facing cryptocurrency users and online security. Dubbed Torg Grabber, this sophisticated info-stealer has already compiled over 300 unique samples in just three months, with new command-and-control servers appearing weekly. Its primary function is to plunder sensitive data from a vast array of browser extensions, with a staggering 728 of its 850 total targets being cryptocurrency wallets. Initial infection often occurs through a method known as the ClickFix technique, where the malware hijacks the clipboard and deceives a user into running a malicious PowerShell command.
The malware’s evolution has been swift. Early versions used Telegram and a custom encrypted TCP protocol for data theft, but by mid-December 2025, the operators switched to a more resilient method. They now use HTTPS connections routed through Cloudflare infrastructure, which supports chunked uploads and payload delivery. To avoid detection, Torg Grabber employs multi-layered obfuscation, direct system calls, and reflective loading to run its final payload entirely in memory. It also incorporates an App-Bound Encryption bypass to defeat cookie protection systems in major browsers like Chrome, Edge, and Brave.
A particularly concerning aspect is its use of a standalone tool called Underground. This tool reflectively injects a DLL into a browser to access Chrome’s COM Elevation Service, extracting the master encryption key. This technique, also seen in the VoidStealer malware, highlights the advanced tactics used to bypass modern security measures.
The scope of Torg Grabber’s theft is exceptionally broad. It targets 25 Chromium-based browsers and 8 Firefox variants, aiming to harvest credentials, cookies, and autofill data. Its list of wallet extensions is exhaustive, covering virtually every major and niche project. Researchers note that MetaMask, Phantom, TrustWallet, and Coinbase are all on the list, along with countless lesser-known wallets. Beyond crypto, the malware targets 103 extensions for password managers and two-factor authenticators, including LastPass, 1Password, Bitwarden, and GAuth.
Its capabilities extend far beyond browser data. Torg Grabber can profile the infected system, create a hardware fingerprint, document installed software including 24 antivirus programs, and take screenshots. It also steals files from Desktop and Documents folders and can execute delivered shellcode on the compromised device. With an expanding operator base marked by 40 distinct tags, this rapidly developing threat shows no signs of slowing down, posing a continuous risk to digital assets and personal information.
(Source: BleepingComputer)