Torg Grabber: The threat that steals cryptomoneda by hitting the clipboard

If it sounds like a science fiction film, it's because the digital crime scene already works with its own writers: a new information thief called Torg Grabber It is showing that attackers not only diversify their objectives, but also improve their techniques at an accelerated pace. Researchers of the cyber security company Digital Gen have published an analysis that paints a disturbing picture: this malware points to hundreds of browser extensions, especially to cryptomoneda portfolios, and evolves week by week.

The entry door of Torg Grabber is not a native browser vulnerability, but a social engineering that exploits user confidence: by means of the technique known as ClickFix malware manipulates the clipboard and deceives the victim to hit and run a PowerShell command. In other words, the attacker relies on human behavior (paste what appears on screen) to get remote execution without having to directly draw the system's defenses.

Once inside, Torg Grabber applies modern escape strategies: it loads its payload in memory, uses layer ofussing techniques, uses direct system calls (syscalls) and uses DLs' reflective load to avoid being detected by traditional file-based analyses. The researchers also point out that the project is in full operation: in just three months (December 2025 to February 2026), 334 unique samples were identified and new command and control servers are recorded weekly.

The scope of what you can start from the committed equipment is wide. Gen Digital documents that Torg Grabber tries to extract credentials, cookies and self-completed data from 25 Chromium-based browsers and eight Firefox variants. Of the 850 extensions you watch, More than 700 are cryptomoneda portfolios, a list that includes both the best known names - MetaMask, Phantom, Trust Wallet, Coinbase, Binance or Exodus - and hundreds of less popular projects. There are also 103 extensions related to password and authentication managers (from LastPass and 1Password to Bitwarden and TOTP solutions) and several notation and messaging applications.

The exfiltration modus operandi has changed over time. According to the report, the first versions of malware sent information through Telegram or through a self-encrypted TCP protocol. In mid-December 2025, those responsible changed their strategy and went on to use HTTPS connections channelled by the Cloudflare infrastructure, a design that makes it easier to upload data into fragments and deliver additional payloads without raising so many network suspicions.

A relevant technical detail is the emergence of an auxiliary tool called Underground, designed to extract data from the browser directly. This utility injected a DLL reflectively into the browser process to access Chrome's COM lifting service and get the master encryption key, a technique that has already been seen in previous credentials theft families. This capacity, coupled with the ability to take catches, invent installed software (including antivirus products) and steal Desktop and Documents files, makes Torg Grabber a very versatile threat.

Researchers also highlight that malware can receive and run shellcode sent from C2 encrypted with ChaCha and compressed with zlib, which facilitates dynamic delivery of modules without leaving artifacts on disk. In addition, the Digital Gen team warns about the rapid expansion of the operator ecosystem: the first samples showed up to 40 different labels, suggesting that several groups or individuals are taking advantage of and adapting the platform.

If this whole description sounds alarming, there are concrete measures that reduce the risk. First, distrust from copying and running commands that appear on web pages, chats or emerging windows; learn to inspect the contents of the clipboard before hitting it and, where possible, avoid running PowerShell from unreliable sources. Keep the browser and extensions up to date, limit the number of plugins installed to the strictly necessary ones and review the permissions we grant to each extension also helps to reduce the attack surface.

For those who handle digital assets, the recommendation is not to rely only on extensions to guard cryptomonedas: using hardware portfolios for significant funds adds a physical layer of protection against this type of info-stealers. In corporate environments, endpoints detection and response solutions that monitor memory execution, along with content and policy filters that block the execution of suspicious commands, are important defense lines.

The case of Torg Grabber serves as a reminder that modern threats combine social engineering with sophisticated techniques of evasion and persistence. If you want to read the complete and updated technical analysis, the report of Gen Digital details samples, indicators and observed behaviors: Gen Digital report on Torg Grabber. For an additional press perspective and contextualization, you can see the coverage in specialized media, which collect the scope and rapid evolution of this malware family: article in BleepingComputer.

The technology advances and so do the attackers' tactics. Keeping informed, applying basic good practices and treating clipboard extensions and commands with reasonable suspicion are small routines that, together, significantly reduce the risk of becoming the next victim.