Torg Grabber Stealer Evolves to Encrypted API C2

A novel Malware-as-a-Service (MaaS) credential stealer called Torg Grabber has emerged, showcasing significant advancements within just a few months. Initially, this malware used simple Telegram-based techniques for data extraction but has quickly transitioned to a more sophisticated encrypted REST API command-and-control (C2) system.

Rapid Development of Torg Grabber

In a brief period, Torg Grabber compiled 334 samples, with over 40 confirmed operator tags identified in its binaries. This indicates its active role in facilitating multiple criminal groups, highlighting the organized nature of this builder-based cybercrime operation.

The malware derives its name from one of its primary C2 domains, technologytorg.com, with “torg” translating to “trade” or “marketplace” in Russian, aptly describing its purpose in dealing with stolen credentials. Initially misidentified as Vidar Stealer, further analysis revealed it as a 64-bit PE compiled with MinGW-GCC, distinct from Vidar’s 32-bit MSVC build.

Evolution Through Exfiltration Techniques

Gen Digital’s Threat Research Team analyzed and officially named the malware, noting its evolution through three exfiltration phases. Early builds utilized the Telegram Bot API for sending stolen ZIP files to private Telegram channels, offering a rapid deployment method with minimal infrastructure.

Subsequent versions briefly adopted a raw TCP socket protocol with custom encryption before transitioning to a production-grade REST API over HTTPS through Cloudflare. This shift complicates traffic interception and blocks, indicating a move towards more secure and resilient communication methods.

Data Collection and Prevention Measures

Torg Grabber casts a wide net, targeting credentials from numerous browsers, including 25 Chromium-based and 8 Firefox-family browsers. It also collects over 850 browser extensions, encompassing cryptocurrency wallets and two-factor authentication tools, while also capturing session data from platforms like Discord, Telegram, and Steam.

Before initiating data collection, the malware checks for antivirus signatures across various security products. Multiple operator tags were traced to active Telegram accounts associated with Russian-speaking cybercrime networks. The malware employs a multi-stage loader chain, beginning with a dropper disguised as game cheats or cracked software, which subsequently downloads and activates the stealer in-memory, evading detection.

To mitigate risks, users should avoid unofficial downloads, and IT teams should monitor for suspicious PowerShell commands and unexpected BITS Transfer activities. Endpoint tools must be configured to detect direct syscall usage and in-memory PE loading patterns. Organizations using Chromium-based browsers should ensure proper configuration of App-Bound Encryption, with any unexpected browser process suspensions flagged as potential compromises.

Stay informed by following us on Google News, LinkedIn, and X for more updates, and consider setting CSN as a preferred source on Google.