{"id":157846,"date":"2026-03-27T14:29:27","date_gmt":"2026-03-27T14:29:27","guid":{"rendered":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/"},"modified":"2026-03-27T14:29:29","modified_gmt":"2026-03-27T14:29:29","slug":"novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas","status":"publish","type":"post","link":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/","title":{"rendered":"Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas"},"content":{"rendered":"<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" src=\"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized-1024x585.jpg\" alt=\"\" class=\"wp-image-157843\" srcset=\"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized-1024x585.jpg 1024w, https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized-300x172.jpg 300w, https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized-768x439.jpg 768w, https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized-450x257.jpg 450w, https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/figure><p>O Torg Grabber, um malware do tipo infostealer rec\u00e9m-identificado, tem como alvo 728 extens\u00f5es de carteiras cripto em 850 complementos de navegador, e j\u00e1 est\u00e1 em implanta\u00e7\u00e3o ativa.<\/p><p>O malware exfiltra frases semente (seed phrases), chaves privadas e tokens de sess\u00e3o por meio de canais criptografados antes que a maioria das ferramentas de endpoint registre um evento de detec\u00e7\u00e3o. Usu\u00e1rios de autocust\u00f3dia que utilizam carteiras baseadas em navegador s\u00e3o a principal superf\u00edcie de exposi\u00e7\u00e3o.<\/p><p>Pesquisadores da Gen <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/torg-grabber-credential-stealer-analysis\" target=\"_blank\" rel=\"noreferrer noopener\">Digital<\/a> documentaram a amea\u00e7a ap\u00f3s rastrear uma cadeia de carregamento por meio de dados de reputa\u00e7\u00e3o de dom\u00ednio, compilando finalmente 334 amostras em uma janela de desenvolvimento de tr\u00eas meses. Isso n\u00e3o \u00e9 uma prova de conceito. Trata-se de uma opera\u00e7\u00e3o real de Malware-as-a-Service (MaaS) com operadores identificados.<\/p><div class=\"su-note\" style=\"border: 1px solid #e0d5e5;border-radius: 5px;margin: 20px 0;background-color: #faefff;color: #333333;padding: 20px\"><strong>Principais conclus\u00f5es:<\/strong>\n<ul>\n<li><strong>Escopo da amea\u00e7a:<\/strong> O Torg Grabber varre 850 extens\u00f5es de navegador, sendo 728 delas alvos de carteiras cripto, em 25 variantes do navegador Chromium e 8 do Firefox.<\/li>\n<li><strong>M\u00e9todo de ataque:<\/strong> O dropper se disfar\u00e7a como uma atualiza\u00e7\u00e3o leg\u00edtima do Chrome (GAPI_Update.exe, 60 MB), implanta o payload por meio de uma barra de progresso falsa de 420 segundos da Atualiza\u00e7\u00e3o de Seguran\u00e7a do Windows e, em seguida, exfiltra dados usando criptografia ChaCha20 com autentica\u00e7\u00e3o HMAC-SHA256 atrav\u00e9s da infraestrutura Cloudflare.<\/li>\n<li><strong>Quem est\u00e1 em risco:<\/strong> Usu\u00e1rios de carteiras de extens\u00e3o de navegador \u2014 MetaMask, Phantom e hot wallets compar\u00e1veis \u2014 enfrentam roubo direto de credenciais; usu\u00e1rios de carteiras de hardware enfrentam risco indireto apenas se as frases semente estiverem armazenadas digitalmente.<\/li>\n<\/ul>\n<\/div><h2 class=\"wp-block-heading\">O mecanismo: Como o malware Torg Grabber executa o ataque em carteiras cripto<\/h2><span class=\"replacer\"><\/span><p>A cadeia de infec\u00e7\u00e3o come\u00e7a com um dropper disfar\u00e7ado de GAPI_Update.exe \u2014 um pacote InnoSetup de 60 MB distribu\u00eddo a partir da infraestrutura do Dropbox. Ele extrai tr\u00eas DLLs benignas em <code>%LOCALAPPDATA%\\Connector\\<\/code> para estabelecer uma pegada de apar\u00eancia limpa e, em seguida, inicia uma barra de progresso falsa de Atualiza\u00e7\u00e3o de Seguran\u00e7a do Windows que roda por exatos <strong>420 segundos<\/strong>, completa com arte ASCII animada compilada via csc.exe. O atraso \u00e9 deliberado: cria uma janela de instala\u00e7\u00e3o plaus\u00edvel enquanto o payload \u00e9 implantado.<\/p><p>O execut\u00e1vel final \u00e9 solto com nomes aleat\u00f3rios \u2014 v4jkqh.exe, hkjpy08.exe, ln3dkgz.exe \u2014 em C:\\Windows\\ em todas as amostras documentadas. Uma inst\u00e2ncia capturada de 13 MB gerou o dllhost.exe e tentou desativar o Event Tracing for Windows antes que a detec\u00e7\u00e3o comportamental encerrasse a execu\u00e7\u00e3o no meio do processo.<\/p><p>Ap\u00f3s a implanta\u00e7\u00e3o, o Torg Grabber visa 25 navegadores Chromium, 8 variantes do Firefox, Discord, Steam, Telegram, clientes VPN, clientes FTP, clientes de e-mail e gerenciadores de senhas, al\u00e9m de carteiras cripto. Os dados s\u00e3o arquivados em um ZIP na mem\u00f3ria ou transmitidos em partes. A exfiltra\u00e7\u00e3o ocorre por meio de endpoints da Cloudflare usando cabe\u00e7alhos X-Auth-Token com HMAC-SHA256 por solicita\u00e7\u00e3o e criptografia ChaCha20 \u2014 uma arquitetura de n\u00edvel de produ\u00e7\u00e3o, n\u00e3o uma ferramenta improvisada.<\/p><figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">\ud83d\udea8 CRYPTO THEFT MALWARE: New \u201cTorg Grabber\u201d infostealer targets 728 cryptocurrency wallets.<br><br>The malware is designed to harvest wallet data and enable theft of digital assets.<br><br>Crypto wallets remain a primary target for financially motivated attackers.<\/p>&mdash; CyberAlertsHQ (@CyberAlertsHQ) <a href=\"https:\/\/twitter.com\/CyberAlertsHQ\/status\/2036949002575614362?ref_src=twsrc%5Etfw\">March 25, 2026<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure><p>A an\u00e1lise da Gen Digital identificou mais de 40 tags de operadores incorporadas em bin\u00e1rios: apelidos, IDs de lote codificados por data e IDs de usu\u00e1rio do Telegram vinculando oito operadores ao ecossistema do crime cibern\u00e9tico russo. O modelo MaaS significa que operadores individuais podem implantar shellcode personalizado ap\u00f3s o registro, expandindo a superf\u00edcie de ataque al\u00e9m da configura\u00e7\u00e3o base. Conforme descreveram os pesquisadores da Gen Digital, o Torg Grabber evoluiu de pontos de entrega no Telegram para &#8220;uma API REST de n\u00edvel de produ\u00e7\u00e3o que funcionava como um rel\u00f3gio su\u00ed\u00e7o mergulhado em veneno&#8221;.<\/p><h2 class=\"wp-block-heading\">O sinal da autocust\u00f3dia: O que realmente significam 728 carteiras<\/h2><span class=\"replacer\"><\/span><p>728 n\u00e3o \u00e9 um n\u00famero arbitr\u00e1rio. Representa uma varredura de configura\u00e7\u00e3o deliberada, abrangendo todas as principais carteiras baseadas em navegador com volume de instala\u00e7\u00e3o mensur\u00e1vel. Somente a MetaMask possui mais de 30 milh\u00f5es de usu\u00e1rios ativos mensais. A l\u00f3gica de segmenta\u00e7\u00e3o por extens\u00e3o significa que o Torg Grabber n\u00e3o precisa encontrar uma v\u00edtima espec\u00edfica; ele coleta quaisquer credenciais de carteira presentes em qualquer m\u00e1quina infectada.<\/p><div class=\"wp-block-image wp-block-image size-full\">\n<figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/cimg.co\/p\/no_image.svg\" alt=\"\" class=\"wp-image-491845 lazyload\" data-src=\"https:\/\/cimg.co\/wp-content\/uploads\/2026\/03\/26140049\/image-207.jpg\" data-srcset=\"\"><\/figure><\/div><p>O risco mais amplo se bifurca claramente. Usu\u00e1rios de autocust\u00f3dia que armazenam frases semente no armazenamento do navegador, arquivos de texto ou gerenciadores de senhas enfrentam o comprometimento total da carteira em uma \u00fanica infec\u00e7\u00e3o. Ativos mantidos em exchanges n\u00e3o est\u00e3o diretamente expostos a este vetor de ataque espec\u00edfico, pois o malware visa armazenamentos locais de credenciais, n\u00e3o APIs de exchanges em escala. No entanto, o roubo de tokens de sess\u00e3o do armazenamento do navegador pode expor contas de exchanges conectadas se as sess\u00f5es de login estiverem ativas.<\/p><p>Se a base de operadores MaaS do Torg Grabber se expandir \u2014 e o monitoramento da Gen Digital em sua infraestrutura de API REST sugere itera\u00e7\u00e3o ativa \u2014 a lista de alvos de carteiras crescer\u00e1. O n\u00famero 728 \u00e9 um retrato atual, n\u00e3o um teto. Infostealers compar\u00e1veis, como Vidar e RedLine, normalizaram esse modelo anos atr\u00e1s; o Torg Grabber est\u00e1 executando o mesmo manual com uma infraestrutura mais estruturada.<\/p>","protected":false},"excerpt":{"rendered":"<p>Malware Torg Grabber atinge 728 carteiras de criptomoedas<\/p>\n","protected":false},"author":780,"featured_media":157843,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[9],"tags":[115,95],"editores":[534],"sponsored_companies":[],"class_list":["post-157846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blockchain-news","tag-blockchain","tag-criptomoedas","editores-cryptonews"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas<\/title>\n<meta name=\"description\" content=\"Malware Torg Grabber atinge 728 carteiras de criptomoedas\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas\" \/>\n<meta property=\"og:description\" content=\"Malware Torg Grabber atinge 728 carteiras de criptomoedas\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/\" \/>\n<meta property=\"og:site_name\" content=\"CryptoNews Brasil\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-27T14:29:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-27T14:29:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"686\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas","description":"Malware Torg Grabber atinge 728 carteiras de criptomoedas","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/","og_locale":"pt_BR","og_type":"article","og_title":"Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas","og_description":"Malware Torg Grabber atinge 728 carteiras de criptomoedas","og_url":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/","og_site_name":"CryptoNews Brasil","article_published_time":"2026-03-27T14:29:27+00:00","article_modified_time":"2026-03-27T14:29:29+00:00","og_image":[{"width":1200,"height":686,"url":"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_image":"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#article","isPartOf":{"@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/"},"author":{"name":"Cristhian Silva","@id":"https:\/\/cryptonews.com\/br\/#\/schema\/person\/afd4a756a2cb859d32a55ff768b0acaa"},"headline":"Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas","datePublished":"2026-03-27T14:29:27+00:00","dateModified":"2026-03-27T14:29:29+00:00","mainEntityOfPage":{"@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/"},"wordCount":883,"commentCount":0,"publisher":{"@id":"https:\/\/cryptonews.com\/br\/#organization"},"image":{"@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#primaryimage"},"thumbnailUrl":"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg","keywords":["Blockchain","Criptomoedas"],"articleSection":["Not\u00edcias de Blockchain"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#respond"]}],"copyrightYear":"2026","copyrightHolder":{"@id":"https:\/\/cryptonews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/","url":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/","name":"Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas","isPartOf":{"@id":"https:\/\/cryptonews.com\/br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#primaryimage"},"image":{"@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#primaryimage"},"thumbnailUrl":"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg","datePublished":"2026-03-27T14:29:27+00:00","dateModified":"2026-03-27T14:29:29+00:00","description":"Malware Torg Grabber atinge 728 carteiras de criptomoedas","breadcrumb":{"@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/"]}],"author":[]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#primaryimage","url":"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg","contentUrl":"https:\/\/cimg.co\/wp-content\/uploads\/sites\/13\/2026\/03\/27091006\/1744184088-image-1727082450955_optimized.jpg","width":1200,"height":686},{"@type":"BreadcrumbList","@id":"https:\/\/cryptonews.com\/br\/noticias\/novo-malware-torg-grabber-atinge-728-carteiras-de-criptomoedas\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cryptonews.com\/br\/"},{"@type":"ListItem","position":2,"name":"Novo malware &#8216;Torg Grabber&#8217; atinge 728 carteiras de criptomoedas"}]},{"@type":"WebSite","@id":"https:\/\/cryptonews.com\/br\/#website","url":"https:\/\/cryptonews.com\/br\/","name":"Cryptonews Portugal","description":"","publisher":{"@id":"https:\/\/cryptonews.com\/br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cryptonews.com\/br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/cryptonews.com\/br\/#organization","name":"Cryptonews Portugal","url":"https:\/\/cryptonews.com\/br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/cryptonews.com\/br\/#\/schema\/logo\/image\/","url":"https:\/\/cryptonews.com\/wp-content\/uploads\/sites\/13\/2023\/09\/4.jpg","contentUrl":"https:\/\/cryptonews.com\/wp-content\/uploads\/sites\/13\/2023\/09\/4.jpg","width":1669,"height":874,"caption":"Cryptonews Portugal"},"image":{"@id":"https:\/\/cryptonews.com\/br\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/posts\/157846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/users\/780"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/comments?post=157846"}],"version-history":[{"count":1,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/posts\/157846\/revisions"}],"predecessor-version":[{"id":157862,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/posts\/157846\/revisions\/157862"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/media\/157843"}],"wp:attachment":[{"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/media?parent=157846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/categories?post=157846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/tags?post=157846"},{"taxonomy":"editores","embeddable":true,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/editores?post=157846"},{"taxonomy":"sponsored_companies","embeddable":true,"href":"https:\/\/cryptonews.com\/br\/wp-json\/wp\/v2\/sponsored_companies?post=157846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}