Identity, Privacy, Ransomware, Malware

Extensive credential theft facilitated by novel Torg Grabber infostealer

Crypto Trading theme with blurred city abstract lights background

BleepingComputer reports that the newly emergent Torg Grabber information-stealing malware, which is being spread through the ClickFix technique, has been targeting 850 browser extensions, most of which are for cryptocurrency wallets.

Aside from pilfering data from Binance, TrustWallet, Coinbase, MetaMask, and 700 other cryptocurrency wallet extensions, Torg Grabber, which includes multi-layered obfuscation and multiple anti-analysis techniques, also targeted 103 extensions for authenticators and tokens, including LastPass, NordPass, Akamai MFA, and 1Password, according to a Gen Digital report. Telegram, Discord, Steam, VPN and FTP apps, and email clients have also been siphoned by the infostealer. Torg Grabber which has since transitioned to using an HTTPS connection via Cloudflare infrastructure to enable data uploads and payload distribution in chunks not only allows profiling and hardware fingerprint creation but also enables shellcode execution on targeted devices.

Additional findings showed the rapid development of Torg Grabber, as evidenced by the 300 samples being compiled between December 2025 and February 2026 and the discovery of newly registered command-and-control servers every week.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds