Torg Grabber Malware Campaign Expands Browser Extension Targeting
Security researchers discovered a sophisticated info-stealing malware campaign on March 25, 2026, involving a new threat called Torg Grabber that specifically targets browser extension data. The malware demonstrates unprecedented scope by compromising sensitive information from 850 different browser extensions, with over 700 of these targeting cryptocurrency wallet extensions specifically.
Torg Grabber represents a significant evolution in info-stealer capabilities, moving beyond traditional credential harvesting to focus on browser extension ecosystems. The malware's architecture suggests it was designed with extensive reconnaissance of popular browser extensions, particularly those handling cryptocurrency transactions and wallet management. Security analysts note this represents one of the most comprehensive browser extension targeting campaigns observed to date.
The malware operates by scanning infected systems for specific browser extension directories and configuration files. Once identified, Torg Grabber extracts stored credentials, private keys, seed phrases, and transaction histories from cryptocurrency wallets. The threat also harvests authentication tokens, session cookies, and stored passwords from productivity and social media extensions. This multi-vector approach allows attackers to gain comprehensive access to victims' digital identities and financial assets.
Initial infection vectors appear to include malicious email attachments, compromised software downloads, and drive-by downloads from compromised websites. The malware exhibits sophisticated evasion techniques, including process hollowing and anti-analysis mechanisms designed to avoid detection by traditional antivirus solutions. CISA's Known Exploited Vulnerabilities catalog continues monitoring for related exploitation patterns as the campaign evolves.
Related: AI-Generated Slopoly Malware Powers Interlock Ransomware
Related: Chrome Extensions Turn Malicious After Ownership Transfer
Cryptocurrency Users and Browser Extension Ecosystem at Risk
The primary targets of Torg Grabber include users of popular cryptocurrency wallet extensions such as MetaMask, Coinbase Wallet, Trust Wallet, and Phantom. The malware specifically targets Chrome, Firefox, Edge, and Opera browsers across Windows, macOS, and Linux operating systems. Security researchers estimate that millions of cryptocurrency users worldwide could be vulnerable, particularly those who store wallet credentials or private keys within browser extension storage.
Beyond cryptocurrency wallets, Torg Grabber affects users of password managers, two-factor authentication extensions, and productivity tools that store sensitive data locally. The malware's extensive targeting list includes extensions for banking, e-commerce, social media platforms, and enterprise collaboration tools. Organizations using browser-based authentication systems and employees accessing corporate resources through browser extensions face elevated risks from this campaign.
The threat particularly impacts users who haven't implemented proper security hygiene practices, such as using hardware wallets for cryptocurrency storage or enabling additional authentication layers. Small to medium-sized businesses relying on browser extensions for daily operations may face significant exposure, especially those in financial services, e-commerce, and technology sectors where cryptocurrency transactions are common.
Detection and Mitigation Strategies for Torg Grabber
Organizations should immediately implement comprehensive endpoint detection and response (EDR) solutions capable of monitoring browser extension activities and file system changes. Security teams must configure monitoring for unusual network traffic patterns, particularly connections to known command-and-control infrastructure associated with info-stealer campaigns. Recent analysis of similar crypto-targeting malware provides additional context for detection strategies.
Immediate mitigation steps include disabling unnecessary browser extensions, particularly those with extensive permissions or access to sensitive data. Users should migrate cryptocurrency assets to hardware wallets and avoid storing private keys or seed phrases in browser-based storage systems. Organizations must implement application whitelisting and restrict installation of browser extensions through group policy controls.
Security administrators should deploy network segmentation to limit lateral movement if systems become compromised. Regular security awareness training focusing on phishing recognition and safe browsing practices becomes critical, as initial infection vectors rely heavily on social engineering tactics. Incident response teams should prepare procedures for cryptocurrency theft scenarios, including coordination with exchanges and law enforcement agencies for asset recovery efforts.
