BusinessPostCorner.com
No Result
View All Result
Thursday, July 16, 2026
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources
BusinessPostCorner.com
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources
No Result
View All Result
BusinessPostCorner.com
No Result
View All Result

New ‘Torg Grabber’ Malware Targets 728 Crypto Wallets

March 27, 2026
in Crypto News
Reading Time: 5 mins read
A A
0
New ‘Torg Grabber’ Malware Targets 728 Crypto Wallets
ShareShareShareShareShare

Author

Ahmed Balaha

Author

Ahmed BalahaVerified

Part of the Team Since

Aug 2025

About Author

Ahmed Balaha is a journalist and copywriter based in Georgia with a growing focus on blockchain technology, DeFi, AI, privacy, digital assets, and fintech innovation.

Share

Last updated: 

March 27, 2026

New ‘Torg Grabber’ Malware Targets 728 Crypto Wallets

Torg Grabber, a newly identified infostealer malware, targets 728 crypto wallet extensions across 850 browser add-ons, and it is already in active deployment.

The malware exfiltrates seed phrases, private keys, and session tokens through encrypted channels before most endpoint tools register a detection event. Self-custody users running browser-based wallets are the primary exposure surface.

Gen Digital researchers documented the threat after tracing a loader chain through domain reputation data, ultimately compiling 334 samples across a three-month development window. This is not a proof-of-concept. It is a live Malware-as-a-Service operation with identified operators.

Key Takeaways:

  • Threat Scope: Torg Grabber scans 850 browser extensions, 728 of them crypto wallet targets, across 25 Chromium and 8 Firefox browser variants.
  • Attack Method: Dropper masquerades as a legitimate Chrome update (GAPI_Update.exe, 60 MB), deploys payload via a fake 420-second Windows Security Update progress bar, then exfiltrates data using ChaCha20 encryption with HMAC-SHA256 authentication through Cloudflare infrastructure.
  • Who Is at Risk: Browser-extension wallet users — MetaMask, Phantom, and comparable hot wallets — face direct credential theft; hardware wallet users face indirect risk only if seed phrases are stored digitally.

Discover: The best crypto presales gaining institutional momentum right now

The Mechanism: How Torg Grabber Malware Executes the Attack On Crypto Wallets

The infection chain opens with a dropper disguised as GAPI_Update.exe — a 60 MB InnoSetup package distributed from Dropbox infrastructure. It extracts three benign DLLs into %LOCALAPPDATA%\Connector\ to establish a clean-looking footprint, then launches a fake Windows Security Update progress bar running for exactly 420 seconds, complete with animated ASCII art compiled via csc.exe. The delay is deliberate: it creates a plausible installation window while the payload deploys.

The final executable drops under randomized names — v4jkqh.exe, hkjpy08.exe, ln3dkgz.exe — into C:\Windows\ across documented samples. One captured 13 MB instance spawned dllhost.exe and attempted to disable Event Tracing for Windows before behavioral detection terminated it mid-execution.

Post-deployment, Torg Grabber targets 25 Chromium browsers, 8 Firefox variants, Discord, Steam, Telegram, VPN clients, FTP clients, email clients, and password managers in addition to crypto wallets. Data is archived to an in-memory ZIP or streamed in chunks. Exfiltration routes through Cloudflare endpoints using per-request HMAC-SHA256 X-Auth-Token headers and ChaCha20 encryption — a production-grade architecture, not improvised tooling.

🚨 CRYPTO THEFT MALWARE: New “Torg Grabber” infostealer targets 728 cryptocurrency wallets.

The malware is designed to harvest wallet data and enable theft of digital assets.

Crypto wallets remain a primary target for financially motivated attackers.

— CyberAlertsHQ (@CyberAlertsHQ) March 25, 2026

Gen Digital’s analysis identified over 40 operator tags embedded in binaries: nicknames, date-encoded batch IDs, and Telegram user IDs linking eight operators to the Russian cybercrime ecosystem. The MaaS model means individual operators can deploy custom shellcode post-registration, expanding the attack surface beyond the base configuration. As Gen Digital researchers described it, Torg Grabber evolved from Telegram dead drops to “a production-grade REST API that worked like a Swiss watch dipped in poison.”

Discover: The best crypto to diversify your portfolio with

The Self-Custody Signal: What 728 Wallets Actually Means

728 is not an arbitrary number. It represents a deliberate configuration sweep, every major browser-based wallet with measurable installation volume. MetaMask alone has over 30 million monthly active users. The extension-targeting logic means Torg Grabber does not need to find a specific victim; it harvests whatever wallet credentials are present on any infected machine.

The broader risk bifurcates cleanly. Self-custody users storing seed phrases in browser storage, text files, or password managers face complete wallet compromise on a single infection. Exchange-held assets are not directly exposed to this specific attack vector, the malware targets local credential stores, not exchange APIs at scale. But session token theft from browser storage can expose connected exchange accounts if login sessions are active.

If Torg Grabber’s MaaS operator base expands, and Gen Digital’s monitoring of its REST API infrastructure suggests active iteration, the wallet targeting list will grow. The 728 figure is a current snapshot, not a ceiling. Comparable infostealers like Vidar and RedLine normalized this model years ago; Torg Grabber is executing the same playbook with more structured infrastructure.

Discover: The best crypto presales gaining institutional momentum right now



Credit: Source link

ShareTweetSendPinShare
Previous Post

Melinda French Gates has a rule for conflict at work: Wait 48 hours before saying anything

Next Post

Franklin Templeton’s $1.7 Trillion Weight

Next Post
Franklin Templeton’s .7 Trillion Weight

Franklin Templeton's $1.7 Trillion Weight

Bitcoin Price Prediction: Overlooked Indicator Gives Bear Market 3 Months Left

Bitcoin Price Prediction: Overlooked Indicator Gives Bear Market 3 Months Left

July 10, 2026
Trump takes a page from Iran’s Hormuz playbook, leveraging the chokepoint to generate revenue

Trump takes a page from Iran’s Hormuz playbook, leveraging the chokepoint to generate revenue

July 13, 2026
SWIFT CIO Debunks XRP Integration Rumor

SWIFT CIO Debunks XRP Integration Rumor

July 10, 2026
Why has the price of a fish and chips dinner gone up?

Why has the price of a fish and chips dinner gone up?

July 10, 2026
IMA unveils Management Accounting Competency Index

IMA unveils Management Accounting Competency Index

July 14, 2026
Buffett calls Bill Gates relationship with Epstein ‘distasteful’

Buffett calls Bill Gates relationship with Epstein ‘distasteful’

July 15, 2026
BusinessPostCorner.com

BusinessPostCorner.com is an online news portal that aims to share the latest news about following topics: Accounting, Tax, Business, Finance, Crypto, Management, Human resources and Marketing. Feel free to get in touch with us!

Recent News

TSMC pledges another 0bn to expand US production in Arizona

TSMC pledges another $100bn to expand US production in Arizona

July 16, 2026
Current price of oil as of July 16, 2026

Current price of oil as of July 16, 2026

July 16, 2026

Our Newsletter!

Loading
  • Contact Us
  • Privacy Policy
  • Terms of Use
  • DMCA

© 2023 businesspostcorner.com - All Rights Reserved!

No Result
View All Result
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources

© 2023 businesspostcorner.com - All Rights Reserved!