The Malware with a Secret Identity: How We Unmasked Torg Grabber
In the world of cybercrime, the best disguise is often just another criminal. Sometimes, a new threat will wrap itself in the "uniform" of a well-known group to avoid extra scrutiny. That is exactly how our story begins.
On a quiet Tuesday in February, a routine sample landed in our lab. At first glance, it appeared to be "Vidar," which is a common and widely understood type of malware. However, as our researchers began to look under the hood, the Vidar costume started to fall apart. This was not the work of a known group. It was something entirely new, highly sophisticated, and growing with incredible speed. We named it Torg Grabber.
The mystery of the misclassification
Detecting malware is often like recognizing a person by their gait or their handwriting. Vidar has a very specific "look" in its code. But this new sample was different. It was built with different tools, used different encryption, and spoke a completely different language when communicating with its creators.
Our team realized that Torg Grabber was essentially a digital pickpocket wearing a priest’s collar. By pretending to be a common threat, it hoped to fly under the radar of automated security systems. By the time we finished our investigation, we had uncovered 334 different versions of this malware, all created in a span of just three months. This was not a hobbyist at work: it was a production line.
The evolution of a criminal business
One of the most fascinating parts of this story is how the criminals behind Torg Grabber "upgraded" their business. We tracked three distinct phases of their growth.
In the beginning, they were small and cautious. They used simple Telegram bots to ship stolen data back to private chat channels. This was the digital equivalent of a rookie thief shouting secrets across a crowded room. It worked, but it was noisy and easy to shut down.
Only a few weeks later, they moved into an experimental phase. They created a custom, high speed communication protocol that used advanced military grade encryption. It was sophisticated, but it was also difficult for them to manage at a large scale.
Finally, they settled on what we call the "Production Rig." They built a professional grade system that hides its traffic behind legitimate web services like Cloudflare. This makes their malicious activity look like normal web browsing. By the time they reached this stage, Torg Grabber had become a "Malware as a Service" operation, where the developers sell their "product" to dozens of other criminals who want to get into the game.
The "ClickFix" trap: how they get in
Torg Grabber does not just break into your house: it tricks you into opening the door. Our team observed a clever tactic called "ClickFix."
Imagine visiting a website and seeing a pop up that says your browser needs a security update. It looks official and even includes a progress bar that ticks away for seven minutes. While you wait for this fake "Windows Security Update" to finish, the malware is silently working in the background. It is downloading multiple layers of code, each one designed to hide the next, until the final infostealer is safely tucked away in your computer's memory.
We have seen this malware hidden in all sorts of digital "candy," including fake game cheats for popular titles and cracked versions of expensive software. The lure changes, but the goal is always the same: social engineering.
The digital master key
Perhaps the most dangerous feature of Torg Grabber is its ability to bypass modern browser security. Major browsers like Google Chrome and Microsoft Edge recently introduced a feature called "App-Bound Encryption." Think of it as a vault door that can only be opened by the browser itself.
To beat this, the creators of Torg Grabber built a custom "lockpick." It is a tiny piece of code, only 20 KB in size, that sneaks into a legitimate browser process. Once inside, it tricks the browser into using its own "master key" to unlock your saved passwords and credit card details. By the time the malware is done, it has effectively walked through the front door of your digital life using your own keys.
A massive appetite for your data
Unlike older malware that might just try to crash your computer, an infostealer has one goal: profit. Torg Grabber is programmed to find almost everything of value on your machine. Its "shopping list" is staggering:
- Your Financial Life: It specifically looks for 728 different cryptocurrency wallet extensions. It does not just want the big names: it is programmed to recognize even the most obscure digital wallets.
- Your Security Tools: It targets 103 different password managers and two factor authentication tools. It knows that if it can steal your "vault," it has everything.
- Your Privacy: It scans your Desktop and Documents folders for notes where you might have jotted down sensitive passwords or recovery phrases.
- Your Identity: It steals "session cookies." These allow a criminal to log into your email or social media accounts as if they were you, often bypassing the need for a password entirely.
Tracking the human fingerprints
Our research went beyond just the code. We followed the digital breadcrumbs all the way back to the people running the show. Each version of Torg Grabber contains a "tag," which is like a signature for the criminal who bought it.
We extracted over 40 distinct operator tags and used them to unmask several established identities in the Russian cybercrime world. We found individuals with nicknames like "Tony Montana" and "ChaChaGuru" who were openly boasting about their successes in private channels. Some even linked their accounts to marketplaces where they sell the very data they stole from victims.
Why technical dissection matters
We do not tell this story just to show how complex these threats have become. We tell it because this kind of technical dissection is how better protection is built.
Unmasking Torg Grabber required careful reverse engineering, threat intelligence work, sample correlation, infrastructure tracking, and repeated hypothesis testing across hundreds of artifacts. That work still depends on human expertise, especially when the goal is not just to describe what malware does, but to understand what changed, why it changed, and what defenders should do next.
At the same time, investigations like this are also showing us how threat research is changing. At Gen Digital, we are increasingly using agentic AI workflows to help accelerate parts of reverse engineering, threat hunting, technical correlation, and evidence organization, while keeping researchers fully responsible for validation, judgement, and final conclusions. The result is not automated truth. It is a faster and more scalable way for expert analysts to work through complex investigations without lowering the bar for rigor.
That broader shift is something we explore in more detail in our article, Engineering the Future of Agentic Threat Hunting, which explains how we are building AI-assisted investigative workflows to help researchers move faster while keeping every meaningful claim evidence-based and human-owned.
And for readers who want to go deeper into this specific case, from the malware internals to infrastructure and operator traces, you can read the full technical report here: https://www.gendigital.com/blog/insights/research/torg-grabber-credential-stealer-analysis
