Torg Grabber browser-extension theft activity
Malware Activity
Summary
Hide ▲
Show ▼
The Torg Grabber infostealer is actively stealing data from 850 browser extensions, including 728 cryptocurrency wallet extensions, which raises the risk of account takeover and crypto theft. It also targets passwords, cookies, autofill data, screenshots, and files, broadening the impact beyond browser add-ons. The malware uses ClickFix for initial access and has added App-Bound Encryption (ABE) bypass for Chromium browsers. Researchers also observed rapid development, with 334 unique samples compiled over three months and new C2 servers appearing weekly.
Related Happenings
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
H score74
First: 01.07.2026 08:32
Last: 01.07.2026 08:32
Sources 1
About this happening:
Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical AnalysisAbout this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
Silent Swap browser-extension clipboard clipper
Malware Activity
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Silent Swap browser-extension clipboard clipper
Malware ActivityAbout this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
Easy-day-js malware delivery through poisoned Mastra packages
Malware Activity
H score29
First: 22.06.2026 14:30
Last: 22.06.2026 14:30
Sources 1
About this happening:
A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Easy-day-js malware delivery through poisoned Mastra packages
Malware ActivityAbout this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Timeline
-
25.03.2026 20:32 1 articles · 3mo ago
Torg Grabber moves exfiltration to Cloudflare HTTPS
Technical Analysis UpdateTorg Grabber abandoned Telegram-based and custom encrypted TCP exfiltration in favor of HTTPS routed through Cloudflare infrastructure, adding chunked data uploads and payload delivery.
Show sources
- New Torg Grabber infostealer malware targets 728 crypto wallets — www.bleepingcomputer.com — 25.03.2026 20:32
-
25.03.2026 20:32 1 articles · 3mo ago
Torg Grabber adds App-Bound Encryption bypass
Technical Analysis UpdateTorg Grabber added App-Bound Encryption (ABE) bypass to defeat Chromium browser cookie protection in Chrome, Brave, Edge, Vivaldi, and Opera.
Show sources
- New Torg Grabber infostealer malware targets 728 crypto wallets — www.bleepingcomputer.com — 25.03.2026 20:32
-
25.03.2026 20:32 2 articles · 3mo ago
Gen Digital discloses Torg Grabber theft scope
Initial DisclosureGen Digital reported that Torg Grabber was actively developed, with 334 unique samples compiled between December 2025 and February 2026 and new C2 servers registered weekly; the infostealer used ClickFix initial access and targeted 850 browser extensions, including 728 crypto-wallet extensions and 103 password managers or two-factor authentication tools, while stealing credentials, cookies, autofill data, screenshots, and files.
Show sources
- New Torg Grabber infostealer malware targets 728 crypto wallets — www.bleepingcomputer.com — 25.03.2026 20:32
- New Torg Grabber infostealer malware targets 728 crypto wallets — www.bleepingcomputer.com — 25.03.2026 20:32