Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Torg Grabber browser-extension theft activity

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The Torg Grabber infostealer is actively stealing data from 850 browser extensions, including 728 cryptocurrency wallet extensions, which raises the risk of account takeover and crypto theft. It also targets passwords, cookies, autofill data, screenshots, and files, broadening the impact beyond browser add-ons. The malware uses ClickFix for initial access and has added App-Bound Encryption (ABE) bypass for Chromium browsers. Researchers also observed rapid development, with 334 unique samples compiled over three months and new C2 servers appearing weekly.

Related Happenings

Gremlin stealer modular toolkit evolution

Malware Activity
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

Open Happening

Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis

Technical Analysis
First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...

Open Happening

REMUS infostealer browser-session and password-manager collection expansion

Malware Activity
First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....

Open Happening

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

Open Happening

Timeline

  1. 25.03.2026 20:32 1 articles · 2mo ago

    Torg Grabber moves exfiltration to Cloudflare HTTPS

    Technical Analysis Update

    Torg Grabber abandoned Telegram-based and custom encrypted TCP exfiltration in favor of HTTPS routed through Cloudflare infrastructure, adding chunked data uploads and payload delivery.

    Show sources
    Open in new tab
  2. 25.03.2026 20:32 1 articles · 2mo ago

    Torg Grabber adds App-Bound Encryption bypass

    Technical Analysis Update

    Torg Grabber added App-Bound Encryption (ABE) bypass to defeat Chromium browser cookie protection in Chrome, Brave, Edge, Vivaldi, and Opera.

    Show sources
    Open in new tab
  3. 25.03.2026 20:32 2 articles · 2mo ago

    Gen Digital discloses Torg Grabber theft scope

    Initial Disclosure

    Gen Digital reported that Torg Grabber was actively developed, with 334 unique samples compiled between December 2025 and February 2026 and new C2 servers registered weekly; the infostealer used ClickFix initial access and targeted 850 browser extensions, including 728 crypto-wallet extensions and 103 password managers or two-factor authentication tools, while stealing credentials, cookies, autofill data, screenshots, and files.

    Show sources
    Open in new tab