Torg Grabber Malware Targets 728 Crypto Wallets with Advanced Techniques

Torg Grabber Malware Targets 728 Crypto Wallets with Advanced Techniques

First seen 27 Mar 2026, 11:17 UTC BleepingcomputerBitget 84% similarity 72.0

Article Content

Browse articles
ThreatCluster

Torg Grabber, a new infostealer malware, is actively targeting 728 cryptocurrency wallet extensions and other applications, including password managers and communication tools. The malware employs the ClickFix technique to gain initial access and uses a PowerShell command to execute its payload. It has been developed rapidly, with 334 unique samples compiled in just three months, indicating a robust Malware-as-a-Service operation. Torg Grabber uses sophisticated methods for data exfiltration, including HTTPS connections routed through Cloudflare, and employs ChaCha20 encryption for data security. The malware is capable of stealing sensitive information such as credentials, cookies, and session tokens from various applications. Cybersecurity firm Gen Digital has linked the malware to multiple criminal actors, many associated with the Russian cybercrime ecosystem. Users of browser-based hot wallets like MetaMask and Phantom are particularly at risk, as attackers can exploit open sessions to access funds directly. The ongoing evolution of Torg Grabber suggests that its impact will continue to grow.

Key Points: • Torg Grabber targets 728 cryptocurrency wallet extensions and various applications. • The malware uses advanced evasion techniques, including ClickFix and PowerShell commands. • Cybersecurity firm Gen Digital identified 334 unique samples, indicating active development.

ThreatCluster AI

Timeline

2025-12-18
Torg Grabber switches to HTTPS for data exfiltration.
2025-12-22
App-Bound Encryption bypass added to target cookie protection.
2026-03-25
Bleepingcomputer publishes detailed analysis of Torg Grabber.
2026-03-27
Bitget reports on Torg Grabber's operational details.

Community

Browse all →