Author
Ahmed Balaha
Author
Share
Torg Grabber, a newly identified infostealer malware, targets 728 crypto wallet extensions across 850 browser add-ons, and it is already in active deployment.
The malware exfiltrates seed phrases, private keys, and session tokens through encrypted channels before most endpoint tools register a detection event. Self-custody users running browser-based wallets are the primary exposure surface.
Gen Digital researchers documented the threat after tracing a loader chain through domain reputation data, ultimately compiling 334 samples across a three-month development window. This is not a proof-of-concept. It is a live Malware-as-a-Service operation with identified operators.
- Threat Scope: Torg Grabber scans 850 browser extensions, 728 of them crypto wallet targets, across 25 Chromium and 8 Firefox browser variants.
- Attack Method: Dropper masquerades as a legitimate Chrome update (GAPI_Update.exe, 60 MB), deploys payload via a fake 420-second Windows Security Update progress bar, then exfiltrates data using ChaCha20 encryption with HMAC-SHA256 authentication through Cloudflare infrastructure.
- Who Is at Risk: Browser-extension wallet users — MetaMask, Phantom, and comparable hot wallets — face direct credential theft; hardware wallet users face indirect risk only if seed phrases are stored digitally.
Discover: The best crypto presales gaining institutional momentum right now
The Mechanism: How Torg Grabber Malware Executes the Attack On Crypto Wallets
The infection chain opens with a dropper disguised as GAPI_Update.exe — a 60 MB InnoSetup package distributed from Dropbox infrastructure. It extracts three benign DLLs into %LOCALAPPDATA%\Connector\ to establish a clean-looking footprint, then launches a fake Windows Security Update progress bar running for exactly 420 seconds, complete with animated ASCII art compiled via csc.exe. The delay is deliberate: it creates a plausible installation window while the payload deploys.
The final executable drops under randomized names — v4jkqh.exe, hkjpy08.exe, ln3dkgz.exe — into C:\Windows\ across documented samples. One captured 13 MB instance spawned dllhost.exe and attempted to disable Event Tracing for Windows before behavioral detection terminated it mid-execution.
Post-deployment, Torg Grabber targets 25 Chromium browsers, 8 Firefox variants, Discord, Steam, Telegram, VPN clients, FTP clients, email clients, and password managers in addition to crypto wallets. Data is archived to an in-memory ZIP or streamed in chunks. Exfiltration routes through Cloudflare endpoints using per-request HMAC-SHA256 X-Auth-Token headers and ChaCha20 encryption — a production-grade architecture, not improvised tooling.
Gen Digital’s analysis identified over 40 operator tags embedded in binaries: nicknames, date-encoded batch IDs, and Telegram user IDs linking eight operators to the Russian cybercrime ecosystem. The MaaS model means individual operators can deploy custom shellcode post-registration, expanding the attack surface beyond the base configuration. As Gen Digital researchers described it, Torg Grabber evolved from Telegram dead drops to “a production-grade REST API that worked like a Swiss watch dipped in poison.”
Discover: The best crypto to diversify your portfolio with
The Self-Custody Signal: What 728 Wallets Actually Means
728 is not an arbitrary number. It represents a deliberate configuration sweep, every major browser-based wallet with measurable installation volume. MetaMask alone has over 30 million monthly active users. The extension-targeting logic means Torg Grabber does not need to find a specific victim; it harvests whatever wallet credentials are present on any infected machine.
The broader risk bifurcates cleanly. Self-custody users storing seed phrases in browser storage, text files, or password managers face complete wallet compromise on a single infection. Exchange-held assets are not directly exposed to this specific attack vector, the malware targets local credential stores, not exchange APIs at scale. But session token theft from browser storage can expose connected exchange accounts if login sessions are active.
If Torg Grabber’s MaaS operator base expands, and Gen Digital’s monitoring of its REST API infrastructure suggests active iteration, the wallet targeting list will grow. The 728 figure is a current snapshot, not a ceiling. Comparable infostealers like Vidar and RedLine normalized this model years ago; Torg Grabber is executing the same playbook with more structured infrastructure.
Discover: The best crypto presales gaining institutional momentum right now
