Find notable cyber news and cases, enriched with sources, timelines, and signals.

Torg Grabber browser-extension theft activity

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Torg Grabber infostealer is actively stealing data from 850 browser extensions, including 728 cryptocurrency wallet extensions, which raises the risk of account takeover and crypto theft. It also targets passwords, cookies, autofill data, screenshots, and files, broadening the impact beyond browser add-ons. The malware uses ClickFix for initial access and has added App-Bound Encryption (ABE) bypass for Chromium browsers. Researchers also observed rapid development, with 334 unique samples compiled over three months and new C2 servers appearing weekly.

Related Happenings

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
H score74 First: 01.07.2026 08:32 Last: 01.07.2026 08:32 Sources 1

About this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...

Silent Swap browser-extension clipboard clipper

Malware Activity
H score36 First: 30.06.2026 18:40 Last: 30.06.2026 18:40 Sources 1

About this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...

Search for perplexity ai malicious Chrome extension

Malware Activity
H score29 First: 29.06.2026 21:40 Last: 29.06.2026 21:40 Sources 1

About this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

Timeline

  1. 25.03.2026 20:32 1 articles · 3mo ago

    Torg Grabber moves exfiltration to Cloudflare HTTPS

    Technical Analysis Update

    Torg Grabber abandoned Telegram-based and custom encrypted TCP exfiltration in favor of HTTPS routed through Cloudflare infrastructure, adding chunked data uploads and payload delivery.

    Show sources
  2. 25.03.2026 20:32 1 articles · 3mo ago

    Torg Grabber adds App-Bound Encryption bypass

    Technical Analysis Update

    Torg Grabber added App-Bound Encryption (ABE) bypass to defeat Chromium browser cookie protection in Chrome, Brave, Edge, Vivaldi, and Opera.

    Show sources
  3. 25.03.2026 20:32 2 articles · 3mo ago

    Gen Digital discloses Torg Grabber theft scope

    Initial Disclosure

    Gen Digital reported that Torg Grabber was actively developed, with 334 unique samples compiled between December 2025 and February 2026 and new C2 servers registered weekly; the infostealer used ClickFix initial access and targeted 850 browser extensions, including 728 crypto-wallet extensions and 103 password managers or two-factor authentication tools, while stealing credentials, cookies, autofill data, screenshots, and files.

    Show sources