- SantaStealer targets browsers, wallets, messaging apps, documents, and desktop screenshots.
- Fourteen modules extract data simultaneously through separate execution threads
- Execution delays are used to reduce the user’s immediate suspicion.
Experts have warned of a new strain of malware called SantaStealer that offers information theft capabilities through a malware-as-a-service model.
Rapid7 researchers (via beepcomputer), the operation is a rebranded version of BluelineStealer, with activity traced to Telegram channels and underground forums.
Access is sold through monthly subscriptions priced between $175 and $300, putting the tool within the reach of lower-level cybercriminals rather than advanced operators.
Santa Stealer Menace
SantaStealer relies on fourteen separate data collection modules, each operating on its own thread, which extract browser credentials, cookies, browsing history, stored payment details, messaging app data, cryptocurrency wallet information, and selected local documents.
The stolen data is written directly to memory, compressed into ZIP files, and transmitted to an encrypted command and control server over port 6767 in 10 MB segments.
The malware is also capable of capturing desktop screenshots during execution and includes an embedded executable designed to bypass Chrome’s App Bound Encryption, a protection introduced in mid-2024.
This method has already been observed in other active information theft campaigns, as additional configuration options allow operators to delay execution, creating an artificial window of inactivity that can reduce immediate suspicion.
SantaStealer can also be configured to avoid systems located in the Commonwealth of Independent States region, a restriction commonly seen in malware developed by Russian-speaking actors.
Currently, SantaStealer does not appear to be widely distributed and researchers have not observed a large-scale campaign.
However, analysts note that recent threat activity favors ClickFix-style attacks, where users are tricked into pasting malicious commands into Windows terminals.
Other possible infection vectors include phishing emails, pirated software installers, torrent downloads, malvertising campaigns, and misleading YouTube comments.
Firewall protection alone is unlikely to prevent these social engineering-driven entry points.
Antivirus detection remains effective against currently observed samples and malware removal. The tools are capable of cleaning affected systems in controlled tests.
SantaStealer currently seems more notable for its marketing than its technical maturity, although further development could change its impact.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
