Torg Grabber Steals from 728 Crypto Wallets via ClickFix

Security researchers at Gen Digital have identified a rapidly evolving infostealer called Torg Grabber that targets an astonishing 728 cryptocurrency wallet browser extensions, making it one of the most comprehensive crypto-focused threats observed this year. The malware spreads through ClickFix attacks that hijack victims' clipboards, tricking them into executing malicious PowerShell commands.

Between December 2025 and February 2026, researchers identified 334 unique Torg Grabber samples with new command-and-control servers registered weekly, indicating active and well-resourced development. The threat has already compromised an unknown number of victims across 40 identified operator tags.

What Torg Grabber Steals

The scope of Torg Grabber's targeting is extensive. Beyond the 728 crypto wallet extensions, the malware also harvests data from:

• 103 password manager and two-factor authentication browser extensions (including LastPass, 1Password, Bitwarden, KeePass, NordPass, Dashlane, and ProtonPass)
• 19 note-taking applications
• 25 Chromium-based browsers and 8 Firefox variants
• Discord, Telegram, Steam, VPN applications, and email clients
• Desktop cryptocurrency wallets outside the browser

The targeted crypto wallets include essentially every major platform: MetaMask, Phantom, TrustWallet, Coinbase Wallet, Binance, Exodus, TronLink, Ronin, OKX, Keplr, Rabby, Sui, and Solflare. This comprehensive targeting mirrors the approach we've seen from other sophisticated stealers that aim to maximize data extraction from each infected host.

ClickFix Distribution Method

Torg Grabber gains initial access through ClickFix-style attacks, a social engineering technique that's become increasingly prevalent across both Windows and macOS platforms. The attack hijacks the victim's clipboard and tricks them into pasting and executing a malicious PowerShell command.

The technique proves effective because users believe they're completing a legitimate verification step or software installation. Once executed, the malware deploys without requiring administrative privileges.

Technical Sophistication

Torg Grabber employs multiple evasion techniques that complicate detection and analysis:

• Multi-layered obfuscation with direct syscalls and reflective loading
• In-memory payload execution that leaves minimal disk artifacts
• App-Bound Encryption (ABE) bypass added in a December 22, 2025 update
• DLL injection into browsers via the COM Elevation Service

The ABE bypass capability is particularly concerning. Google introduced App-Bound Encryption in Chrome 127 specifically to prevent infostealers from accessing cookie data. Multiple malware families have since developed workarounds, and Torg Grabber's implementation demonstrates that this protective measure alone is insufficient.

Evolving Exfiltration Infrastructure

Torg Grabber's data exfiltration methods have evolved rapidly. Initial builds used Telegram-based communication and a custom encrypted TCP protocol. On December 18, 2025, both mechanisms were abandoned in favor of HTTPS connections routed through Cloudflare infrastructure.

This shift provides several advantages for the operators: the traffic blends with legitimate web activity, benefits from Cloudflare's reliability, and supports chunked uploads for handling large data sets. The infrastructure also complicates takedown efforts since Cloudflare services are widely used for legitimate purposes.

Detection and Monitoring

Gen Digital researchers noted that Torg Grabber profiles victim systems extensively, collecting hardware fingerprints and installed software inventories. Organizations should monitor for:

1. Unexpected PowerShell execution from user context
2. Browser processes spawning unusual child processes
3. Network connections to unfamiliar Cloudflare-fronted endpoints
4. Clipboard monitoring or manipulation activity
5. Access to browser extension storage directories

The rapid development cadence (334 samples in three months) suggests Torg Grabber's operators are actively iterating based on detection feedback. Security teams should expect new evasion techniques to emerge continuously.

Why This Matters

Cryptocurrency wallet theft represents a particularly attractive target for threat actors because transactions are irreversible and wallets often contain substantial value. Unlike traditional credential theft where victims might recover compromised accounts, stolen crypto is gone permanently.

The 728-wallet targeting scope means Torg Grabber can hit users regardless of which platform they prefer. Combined with password manager targeting, a single infection could compromise both crypto assets and the credentials needed to access traditional financial accounts.

For readers wanting deeper context on how infostealers operate and defend against them, our malware fundamentals guide covers the technical mechanisms these threats employ.