A new information-stealing malware called SantaStealer is starting to surface across Telegram channels and hacker forums, and it is designed to quietly harvest sensitive data from infected systems.
The malware is being marketed as a malware-as-a-service offering and claims to run entirely in memory, a technique often used to avoid traditional file-based detection. Security researchers say the threat is real, even if the execution is not as sophisticated as advertised.
A Rebrand With Bigger Ambitions
According to researchers at Rapid7, SantaStealer is essentially a rebranded version of an older project known as BluelineStealer. The developer appears to be scaling the operation ahead of a broader launch planned before the end of the year.
The malware is believed to be operated by a Russian-speaking developer and is sold via subscription. A basic package costs $175 per month, while a premium tier runs $300 per month, giving buyers more customization options.
Not as Stealthy as Claimed
Rapid7 analyzed multiple SantaStealer samples and gained access to the affiliate control panel. What they found did not fully match the marketing pitch.
The researchers say the malware is far from undetectable and remains relatively easy to analyze. In fact, some samples were leaked before development was complete, exposing symbol names and unencrypted strings.
That kind of mistake suggests weak operational security and may significantly reduce the effectiveness of the malware in its current form.
Built for Easy Customization
Despite its flaws, SantaStealer is designed to be easy to use for attackers.
The web-based control panel allows buyers to configure their own builds, choosing between full-scale data harvesting or lightweight payloads that focus on specific targets. The malware uses 14 separate data-collection modules, each running in its own thread.
Stolen data is first written to memory, then compressed into ZIP files, and finally exfiltrated in 10MB chunks to a hardcoded command-and-control server over port 6767.
What Data Is Being Targeted
SantaStealer focuses on a wide range of high-value information.
It targets browser data such as saved passwords, cookies, browsing history, and credit card details. It also collects data from Telegram, Discord, and Steam, as well as files from cryptocurrency wallet applications and browser extensions.
In addition, the malware can scan documents and capture screenshots of the victim’s desktop, giving attackers a detailed view of both financial and personal activity.
Beating Browser Protections
One notable feature is its ability to bypass Chrome’s App-Bound Encryption, a security feature introduced in July 2024. Like several other active info-stealers, SantaStealer uses an embedded executable to work around this protection.
Operators can also configure the malware to avoid infecting systems in the Commonwealth of Independent States (CIS) region and delay execution to make detection harder.
How SantaStealer Might Spread
SantaStealer is not yet being distributed at scale, so its primary infection methods remain unclear. That said, researchers note that cybercriminals increasingly rely on ClickFix-style attacks, where users are tricked into pasting malicious commands into the Windows terminal.
Other common delivery methods include phishing emails, pirated software, torrent downloads, malvertising, and deceptive links or comments on platforms like YouTube.
What Users Can Do Right Now
Rapid7 recommends basic but effective precautions.
Users should be cautious with links and attachments from unknown sources and avoid running unverified code or browser extensions from public repositories. Simple habits like these remain some of the most effective defenses against data-stealing malware.
SantaStealer may not be fully polished yet, but it highlights a familiar trend. As attackers continue targeting browsers and crypto wallets, staying cautious online matters more than ever.
