Torg Grabber Turns Your Browser Into a Wallet Heist-as-a-Service Platform – 728 Extensions on the Menu

A new info-stealing strain named Torg Grabber has hit the scene, and it’s got a specific taste: it’s hunting crypto wallet extensions instead of just scooping up your old forum passwords. Gen Digital’s threat team dug up 334 samples collected over a three-month period and confirmed this isn't some amateur hour script—it’s a full-blown Malware-as-a-Service (MaaS) operation run by identified Russian-linked threat actors. Because why build your own malware when you can just subscribe?

Scope: This digital pickpocket scans for 850 browser add-ons, with a whopping 728 of them being crypto-wallet extensions. It’s compatible with 25 Chromium-based browsers and 8 Firefox variants, setting its sights on hot wallets like MetaMask, Phantom, and their various clones. The primary targets are users who keep seed phrases, private keys, or session tokens in browser storage; hardware-wallet purists are mostly safe, unless they’ve also decided to digitize their seeds as a convenient backup (read: catastrophic mistake).

Delivery chain: The infection kicks off with a dropper disguised as a legitimate Chrome update—a suspiciously hefty 60 MB InnoSetup package named GAPI_Update.exe hosted on Dropbox. Once executed, it drops three innocent-looking DLLs into %LOCALAPPDATA%\Connector\ and launches a fake Windows Security Update progress bar that runs for exactly 420 seconds, giving the payload ample time to install while the user contemplates the meaning of "blaze it."

Payload: The final executables get random, forgettable names (like v4jkqh.exe or hkjpy08.exe) and settle into C:\Windows\. One captured 13 MB sample spawned dllhost.exe and tried to disable Event Tracing for Windows before being caught by behavioral detection. After setup, Torg Grabber phones home to a production-grade REST API hosted behind Cloudflare, encrypting its loot with ChaCha20 and authenticating each request with an HMAC-SHA256 X-Auth-Token header. It’s more professional than most crypto projects' backends.

What gets stolen: Seed phrases, private keys, and active session tokens are all exfiltrated via encrypted channels, either zipped in-memory or streamed out in chunks. The malware isn’t picky—it just vacuums up whatever wallet data it finds on the infected machine, so it doesn’t need to target any specific degen. Think of it as a digital comb-over, collecting all the valuable crumbs.

Risk breakdown:

• Self-custody browser users: Full wallet compromise is on the table if seeds are stored locally or in password managers. Not your keys, not your coins? More like not your secure storage, not your coins.
• Exchange-linked accounts: Not directly targeted, but stolen session tokens could hand over access to any logged-in exchange sessions. That "Remember Me" checkbox is looking pretty sus right now.
• Hardware-wallet owners: Only indirect risk, and only if they’ve also kept their seed phrases in a digital form, thereby defeating the entire purpose of the hardware wallet. Congratulations, you played yourself.

Operator footprint: The binaries contained over 40 operator tags, including nicknames, date-coded batch IDs, and Telegram user IDs, linking eight operators to the Russian cybercrime ecosystem. The MaaS model allows each registered operator to push custom shellcode, effectively letting every script kiddie with a subscription expand the attack surface beyond the base loader. Community-driven fraud, how innovative.

Bottom line: Torg Grabber is a production-grade, cloud-backed infoste