Torg Grabber Malware Targets 728 Crypto Wallet Extensions in Active Malware-as-a-Service Operation

Cybersecurity researchers at Gen Digital have identified a new infostealer malware, Torg Grabber, that targets 728 cryptocurrency wallet extensions across 850 browser add-ons, operating as a live Malware-as-a-Service (MaaS) operation with 334 unique samples compiled between December 2025 and February 2026.

The malware exfiltrates seed phrases, private keys, and session tokens through encrypted channels before most endpoint tools register detection, using a dropper disguised as a legitimate Chrome update (GAPI_Update.exe) that deploys a fake Windows Security Update progress bar. The threat targets 25 Chromium browsers and 8 Firefox variants, with data exfiltration routed through Cloudflare infrastructure using ChaCha20 encryption and HMAC-SHA256 authentication.

The malware is actively developed, with new command-and-control (C2) servers registered weekly and at least 40 operator tags linked to the Russian cybercrime ecosystem.

Attack Mechanism and Delivery

Initial Infection Chain

The dropper is disguised as GAPI_Update.exe, a 60 MB InnoSetup package distributed from Dropbox infrastructure. It extracts three benign DLLs into %LOCALAPPDATA%\Connector\ to establish a clean-looking footprint, then launches a fake Windows Security Update progress bar running for exactly 420 seconds while the payload deploys. The final executable drops under randomized names into C:\Windows\ across documented samples. One captured 13 MB instance spawned dllhost.exe and attempted to disable Event Tracing for Windows before behavioral detection terminated it mid-execution.

Exfiltration Infrastructure

Data is archived to an in-memory ZIP or streamed in chunks, then routed through Cloudflare endpoints using per-request HMAC-SHA256 X-Auth-Token headers and ChaCha20 encryption. The infrastructure evolved from initial builds that used Telegram-based and custom encrypted TCP protocols to an HTTPS connection routed through Cloudflare, supporting chunked data uploads and payload delivery.

Scope of Targets

Browser and Wallet Coverage

Torg Grabber targets 25 Chromium browsers and 8 Firefox variants, attempting to steal credentials, cookies, and autofill data. Of the 850 browser extensions it targets, 728 are for cryptocurrency wallets, covering “essentially every crypto wallet ever conceived by human optimism.” Researchers noted: “The marquee names are all there—MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, Solflare—but the list doesn’t stop at the big names.”

Additional Targets

Beyond crypto wallets, the malware targets 103 extensions for passwords, tokens, and authenticators, including LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, ProtonPass, and 2FAAuth, GAuth, TOTP Authenticator. It also targets information from Discord, Telegram, Steam, VPN apps, FTP apps, email clients, password managers, and desktop cryptocurrency wallet applications. The malware can profile the host, create a hardware fingerprint, document installed software (including 24 antivirus tools), take screenshots, and steal files from Desktop and Documents folders.

Technical Capabilities and Evolution

Anti-Analysis and Evasion

The malware features multiple anti-analysis mechanisms, multi-layered obfuscation, and uses direct syscalls and reflective loading for evasion, running the final payload entirely in memory. On December 22, 2025, Torg Grabber added App-Bound Encryption (ABE) bypass to defeat Chrome’s (and Brave’s, Edge’s, Vivaldi’s, and Opera’s) cookie protection system.

Malware-as-a-Service Structure

Gen Digital’s analysis identified over 40 operator tags embedded in binaries: nicknames, date-encoded batch IDs, and Telegram user IDs linking operators to the Russian cybercrime ecosystem. The MaaS model allows individual operators to deploy custom shellcode post-registration, expanding the attack surface beyond the base configuration. As Gen Digital researchers described it, Torg Grabber evolved from Telegram dead drops to “a production-grade REST API that worked like a Swiss watch dipped in poison.”

Risk Assessment

Self-Custody Users

Self-custody users storing seed phrases in browser storage, text files, or password managers face complete wallet compromise on a single infection. The extension-targeting logic means Torg Grabber harvests whatever wallet credentials are present on any infected machine, regardless of whether the user is the intended target.

Exchange and Hardware Wallet Users

Exchange-held assets are not directly exposed to this attack vector, as the malware targets local credential stores, not exchange APIs at scale. However, session token theft from browser storage can expose connected exchange accounts if login sessions are active. Hardware wallet users face indirect risk only if seed phrases are stored digitally.

Frequently Asked Questions

How does Torg Grabber infect devices?

The malware is delivered through a dropper disguised as a legitimate Chrome update (GAPI_Update.exe) distributed from Dropbox infrastructure. It deploys a fake Windows Security Update progress bar running for 420 seconds while the payload installs, using social engineering to maintain user trust during infection.

Which cryptocurrency wallets are most at risk?

The malware targets 728 wallet extensions across 25 Chromium and 8 Firefox browsers, including MetaMask, Phantom, TrustWallet, Coinbase Wallet, Binance Wallet, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, and Solflare. Any user running browser-based wallet extensions is at direct risk.

How can users protect themselves from Torg Grabber?

Users should avoid downloading software from untrusted sources, be suspicious of fake update prompts, and consider using hardware wallets for significant crypto holdings with seed phrases stored offline. Organizations should block known malicious domains and monitor for the indicators of compromise documented by Gen Digital.