Torg Grabber has emerged as a sophisticated and evolving credential stealer that began its development targeting victims via the Telegram Bot API, then transitioned to a raw TCP protocol and now employs a production-grade REST API. This malware is indicative of a Malware-as-a-Service (MaaS) model, supported by a wide-ranging criminal infrastructure. Torg Grabber showcases notable advancements in its three-month developmental timeline, during which it presented a rapid evolution from simple Telegram file uploads to a complex exfiltration mechanism using encrypted HTTPS communications.