Overview

Security researchers have identified a newly emerging malware-as-a-service (MaaS) information stealer, referred to as SantaStealer, currently being promoted across Telegram channels and underground forums. The malware is marketed as operating fully in memory to evade file-based detection; however, analysis indicates the tooling does not yet meet these claims.

The activity was analysed by Rapid7, which reviewed multiple SantaStealer samples and gained access to the affiliate web panel used by operators. Their findings suggest the campaign is an evolution or rebranding of an earlier project known as BluelineStealer, with development accelerating ahead of a planned broader release later this year.

SantaStealer is advertised via a subscription model, with tiers priced at approximately USD $175 per month (Basic) and $300 per month (Premium). The malware includes 14 distinct data-collection modules, each operating independently to harvest sensitive information. Collected data is written to memory, compressed into ZIP archives, and exfiltrated in 10MB chunks to a hard-coded command-and-control (C2) endpoint over port 6767.

Targeted data includes browser-stored credentials, cookies, browsing history, saved payment details, messaging applications such as Telegram and Discord, gaming platforms including Steam, cryptocurrency wallets and extensions, local documents, and desktop screenshots. The malware also embeds an executable designed to bypass Chrome’s App-Bound Encryption protections introduced in mid-2024, a technique increasingly observed across modern information stealers.

Additional configuration options allow operators to delay execution, exclude systems located in CIS regions, and fine-tune targeting to reduce visibility during early stages of deployment.

At this stage, SantaStealer has not been observed in widespread active distribution. However, based on recent campaigns, likely delivery methods include phishing emails, malicious advertising, pirated or cracked software downloads, torrent platforms, deceptive browser extensions, and so-called ClickFix attacks, where users are tricked into manually executing harmful commands.

Affected Devices

At present, confirmed infections remain limited and primarily associated with testing or early-stage deployment. Any Windows systems where users install unverified software, browser extensions, or execute untrusted commands are considered at elevated risk.

Recommended Remediations

While SantaStealer is still maturing, this activity reinforces the continued effectiveness of commodity malware and social engineering techniques. ctrl:cyber advises organisations to:

  • Reinforce user awareness around phishing, malvertising, and social engineering techniques, including ClickFix-style attacks
  • Restrict the execution of untrusted scripts, installers, and commands through application control and endpoint policies
  • Review browser extension policies and limit installation to approved, verified sources
  • Monitor outbound network traffic for unusual connections, particularly to uncommon ports and hard-coded endpoints
  • Ensure endpoint detection and response tooling is actively monitored and tuned for in-memory execution techniques
  • Maintain least-privilege access across user accounts to reduce the impact of credential theft

Although SantaStealer does not currently demonstrate advanced evasion capabilities, its modular design and active development indicate potential for rapid evolution. Early defensive controls and user awareness remain critical in reducing exposure as this threat landscape continues to develop.