Cybercrime’s New Chameleon: Torg Grabber Ditches Telegram for Hardened REST API Command Centers
A fast-rising infostealer malware, Torg Grabber, has rapidly evolved its tactics-abandoning Telegram for encrypted REST APIs, and arming cybercriminals with stealthy, adaptable tools.
In the ever-shifting world of cybercrime, adaptability is king-and the Torg Grabber malware is proving itself a master of disguise. In a matter of weeks, this info-stealing threat has morphed from a Telegram-based amateur into a sophisticated, encrypted REST API operator, leaving defenders scrambling to keep up. Its evolution not only signals a technical leap but also a dangerous new chapter in the Malware-as-a-Service (MaaS) underground.
The saga of Torg Grabber began quietly: a 747 KB malware sample, initially mistaken for the notorious Vidar, revealed an unexpected debug string-“grabber v1.0”-and a custom, encrypted REST API protocol. What followed was a sprint of innovation. In its first days, Torg Grabber zipped up stolen data and sent it to private Telegram channels. But this crude approach was quickly abandoned for a more ambitious plan: an encrypted TCP protocol, then, almost overnight, a full pivot to HTTPS-based REST APIs with ChaCha20 encryption and HMAC-SHA256 authentication-fronted by Cloudflare for extra cover.
Torg Grabber’s infection chain is as slippery as its network tactics. Victims are lured in with pirated software and bogus game cheats, which drop polymorphic loaders-code that constantly changes to evade antivirus detection. These loaders inject the real stealer directly into memory, never leaving a trace on disk. The configuration is operator-specific, passed in via environment variables, allowing the same core malware to be reused by dozens of different criminals, each with their own settings and C2 domains.
Once inside a system, Torg Grabber goes for the crown jewels: credentials, cookies, browser data, cryptocurrency wallets, VPN configs, gaming accounts, and more. Its advanced modules can bypass Chrome’s Application Bound Encryption, extracting even master keys from protected browser storage. The malware also targets a staggering array of browser extensions-over 850, including hundreds of crypto wallets and 2FA tools-scavenging LevelDB and IndexedDB data for passwords, seeds, and secrets. In some attacks, Torg Grabber even scoops up data from other credential-stealing tools, making sure nothing is left behind.
Behind the scenes, Torg Grabber’s infrastructure is sprawling and modular. Researchers have mapped at least 18 Cloudflare-protected command domains, with clear evidence of domain rotation and a builder-panel system typical of MaaS operations. Operator tags and Telegram links tie the malware to Russian-speaking cybercrime circles, with some operators openly selling stolen “logs” and premium access to the tool.
As Torg Grabber matures, defenders face a new breed of infostealer-one that adapts in real time, blends into cloud traffic, and offers plug-and-play services to a growing criminal customer base. The lesson is clear: the lines between amateur and professional cybercrime are blurring, and only constant vigilance and innovative defenses will keep pace.
WIKICROOK
- REST API: A REST API is a set of rules that lets different software systems communicate over the internet, acting like a translator between websites and apps.
- Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.
- Polymorphic Loader: A polymorphic loader is malware that changes its appearance to evade detection, making it difficult for security tools to identify and stop.
- Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
- ChaCha20: ChaCha20 is a fast, secure encryption algorithm that scrambles data to protect it from unauthorized access, widely used in modern cybersecurity.




