Torg Grabber Malware: A Growing Threat to Crypto Wallets
A newly identified malware, known as Torg Grabber, has been found to target over 728 crypto wallet extensions in 850 browser add-ons. This infostealer malware is designed to steal sensitive information such as seed phrases, private keys, and session tokens from crypto wallets, allowing hackers to gain unauthorized access to digital assets. According to researchers at Gen Digital, Torg Grabber is already in active use and has been tracked to a loader chain using domain reputation data, with over 334 examples compiled over a three-month development period.
The malware operates by scanning 850 browser extensions, including 728 crypto wallet targets, in 25 Chromium and 8 Firefox browser variants. It uses a dropper that masquerades as a legitimate Chrome update, delivering a payload via a fake Windows security update progress bar. The data is then exfiltrated using ChaCha20 encryption with HMAC-SHA256 authentication over Cloudflare infrastructure. Users of browser extension wallets, such as MetaMask and Phantom, are at risk of direct credential theft, while hardware wallet users face indirect risk when seed phrases are stored digitally.
The Mechanism: How Torg Grabber Malware Carries Out the Attack
The infection chain begins with a dropper disguised as GAPI_Update.exe, a 60 MB InnoSetup package distributed via Dropbox infrastructure. It extracts three harmless DLLs to create a clean-looking footprint and then launches a fake Windows Security Update progress bar that runs for 420 seconds, complete with animated ASCII graphics. The delay is intentional, creating a plausible installation window while the payload is deployed. The final executable file is placed under random names in C:\Windows\, and once deployed, Torg Grabber targets various applications, including crypto wallets, Discord, Steam, Telegram, VPN clients, FTP clients, email clients, and password managers.
Data is archived in an in-memory ZIP file or streamed in blocks, and exfiltration routes across Cloudflare endpoints using HMAC-SHA256-X per-request Auth Token headers and ChaCha20 encryption. This production-grade architecture is no improvised tool, and Gen Digital’s analysis identified over 40 operator tags embedded in binaries, linking eight operators to the Russian cybercrime ecosystem. The malware-as-a-service (MaaS) model means that individual operators can deploy custom shellcode after registration, expanding the attack surface beyond the base configuration.
The Self-Custody Signal: What 728 Wallets Actually Mean
The number 728 is not arbitrary; it is a deliberate configuration sweep that includes all major browser-based wallets with measurable install volumes. MetaMask alone has over 30 million monthly active users. The extension targeting logic means that Torg Grabber doesn’t need to find a specific victim; it collects all wallet credentials present on each infected computer. The broader risk is clearly divided, with self-managing users who store seed phrases in browser memory, text files, or password managers facing complete wallet compromise in a single infection.
As Torg Grabber’s MaaS operator base grows, and Gen Digital’s monitoring of its REST API infrastructure suggests active iteration, its wallet targeting list will likely grow. The number 728 is a current snapshot, not an upper limit. Comparable infostealers like Vidar and RedLine normalized this model years ago; Torg Grabber runs the same playbook with a more structured infrastructure. Crypto wallets remain a prime target for financially motivated attackers, and users must take necessary precautions to protect their digital assets.
For more information on the Torg Grabber malware and its impact on crypto wallets, visit https://cryptonews.com/news/torg-grabber-malware-targets-crypto-wallets/
