Digital assets and cryptocurrency wallets have come under renewed threat as a newly identified piece of malicious software, dubbed Torg Grabber, actively targets browser extensions linked to crypto holdings. The malware, currently operational in the wild, is capable of scanning an alarming 728 browser-based crypto wallet extensions among more than 850 targeted plugins, putting the security of countless digital wallets at immediate risk.
How Torg Grabber Infiltrates Devices
Torg Grabber employs a multi-stage infection sequence, initially spreading via an installation package identified by the alias GAPI_Update.exe—an InnoSetup-based file weighing in at 60 MB. Leveraging Dropbox infrastructure, the malware reaches victims’ computers and, once launched, stealthily extracts three innocuous-looking DLL files into the local directory. Simultaneously, it triggers a decoy Windows Security Update screen lasting 420 seconds, during which the malware loads itself in the background, leading the user to believe a legitimate installation process is underway.
Once installation is complete, randomly named executable files are dropped into the Windows directory. Analyzed samples of the threat have attempted to interfere with Windows’ event logging systems—an evasive maneuver designed to conceal its tracks and mask its presence. Fortunately, behavioral analysis solutions have managed to foil these attempts, limiting further compromise.
The reach of Torg Grabber extends beyond just browsers. The malware targets 25 Chromium-based browsers, eight Firefox variants, as well as widely used applications like Discord, Steam, and Telegram. Password vaults, VPN clients, FTP tools, and email clients are all within its sights. Information collected is either compressed on the fly or exfiltrated in small chunks. Data theft operations are routed over Cloudflare using robust ChaCha20 encryption and HMAC-SHA256 authentication, a sign of its sophisticated infrastructure. Rather than a rudimentary hacking tool, Torg Grabber is seen as a well-structured, service-based criminal operation.
Investigators have emphasized that Torg Grabber targets 728 cryptocurrency wallets, enabling the theft of sensitive user data and driving financially motivated attacks.
Who Faces the Greatest Risk?
The highest risk group includes users who manage their crypto assets through browser-based hot wallets such as MetaMask and Phantom. Those retaining private or encryption keys on their machines stand to lose their entire balance in a single breach. Even users of physical hardware wallets can be exposed if they store their recovery phrases in any digital format on the infected device.
Cybersecurity firm Gen Digital’s thorough analysis of Torg Grabber compiled 334 distinct variants within a three-month span, concluding that the campaign is an active example of Malware-as-a-Service rather than a mere experiment. The investigation revealed nearly 40 operator tags, chronological version codes, and Telegram handles embedded in malware binaries. Evidence also points to operations involving eight separate criminal actors, many of whom have established links to the Russian cybercrime ecosystem.
At its core, the attack aims to compromise wallet files that have been downloaded or backed up locally, as well as session tokens that may allow unauthorized access. If the victim’s computer is logged into cryptocurrency exchanges, attackers can potentially exploit open sessions to access funds directly.
While Torg Grabber employs several established techniques seen in previous malware campaigns like Vidar and RedLine, attackers now benefit from a more advanced infrastructure and a continually expanding wallet extension list. The ability to simultaneously scan 728 unique wallets sets a new benchmark for targeted attacks—one that is only expected to grow as the malware evolves.
