John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
MetaMask, Phantom, TrustWallet, Coinbase, Exodus, Rabby, OKX, Ronin – all of them are on Torg Grabber’s target list. So are 715 other crypto wallet extensions, plus banking plugins and password managers, 850 browser extensions total being hunted by one piece of malware.
Browser wallets are a uniquely bad place to store real money. Your signing keys live in the same browser process as your email and your trading platform. If the extension is already unlocked when an attacker gets in, the wallet can be drained in seconds.
Torg Grabber started with cheap Telegram exfiltration. It didn’t stay there. It evolved into encrypted TCP comms with a full REST API C2 backend. Someone’s running this as a real business. Gen Digital caught it after it had been misclassified as Vidar stealer – which means detections were probably filed and forgotten while this thing kept running.
The delivery follows the now-familiar ClickFix pattern: social engineering to get you to run a PowerShell command or install something you weren’t planning to install. A full infection chain from a real victim was documented January 30, 2026.
If you’re holding real money in a browser wallet, get a hardware wallet. Today, not eventually.