A newly identified malware strain known as Torg Grabber is actively harvesting sensitive user data from a wide ecosystem of browser-based tools, according to researchers at cybersecurity firm Gen Digital. The malware targets at least 850 browser extensions, more than 700 of which are linked to cryptocurrency wallets.
The scope of its reach extends beyond digital assets. Investigators found that Torg Grabber is also capable of extracting data from 103 password managers and two-factor authentication tools, as well as note-taking applications. The breadth of these targets suggests an attempt to consolidate access to multiple layers of user identity and financial credentials.
Initial infection occurs through a method known as “ClickFix,” which manipulates the user’s clipboard and deceives them into executing a malicious PowerShell command. Once triggered, the malware establishes a foothold that allows further stages of the attack to unfold.
Rapid Iteration and Evolving Infrastructure
Researchers describe Torg Grabber as a rapidly developing threat. Between December 2025 and February 2026, 334 unique samples of the malware were identified, indicating sustained development activity. During the same period, new command-and-control infrastructure was registered on a weekly basis.
Early versions of the malware relied on Telegram-based channels and later a custom encrypted TCP protocol for exfiltrating stolen data. By mid-December, however, the operators had shifted to HTTPS communication routed through Cloudflare infrastructure, a move that supports chunked data uploads and more flexible payload delivery.
This transition reflects a broader pattern in malware design, where operators adapt quickly to evade detection while maintaining reliable communication channels with compromised systems.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Evasion Techniques and Encryption Bypass
Torg Grabber employs a layered approach to avoid detection. Researchers noted the use of anti-analysis techniques, multi-layered obfuscation, and direct system calls to bypass traditional monitoring tools. The malware executes its final payload entirely in memory, reducing its visibility to endpoint defenses.
On December 22, 2025, the malware introduced a capability to bypass App-Bound Encryption (ABE), a browser security mechanism designed to protect stored cookies. This allowed it to circumvent protections in major Chromium-based browsers, including Chrome, Edge, Brave, Opera and Vivaldi.
In parallel, analysts identified a standalone component called “Underground,” used specifically to extract browser data. This tool injects a dynamic link library into the browser environment, enabling access to Chrome’s COM Elevation Service and the retrieval of master encryption keys. Researchers noted similarities between this method and techniques previously observed in other information-stealing malware families.
Extensive Data Theft Capabilities
The malware’s reach spans both mainstream and niche applications. Among cryptocurrency wallets, it targets widely used platforms such as MetaMask, Phantom, Trust Wallet, Coinbase, Binance and Exodus, as well as a long tail of lesser-known tools.
Its coverage of password management systems is similarly broad, including services like LastPass, 1Password, Bitwarden, KeePass and ProtonPass, alongside authentication tools such as 2FAuth and Google Authenticator-compatible platforms.
Beyond credentials, Torg Grabber is capable of collecting data from messaging and communication platforms, including Discord and Telegram, as well as VPN applications, FTP clients and email software. It can also profile infected systems, generate hardware fingerprints, document installed software — including antivirus programs — capture screenshots, and extract files from user directories.
In addition, the malware can execute shellcode delivered from command-and-control servers in encrypted and compressed formats, further expanding its operational flexibility. Gen Digital researchers caution that the malware’s development is ongoing. With new infrastructure appearing regularly and its operator base expanding, Torg Grabber reflects a category of threats that continues to grow in both capability and reach, adapting quickly to the defenses designed to contain it.
