editorially independent. We may make money when you click on links
to our partners.
Learn More
A newly identified information stealer known as SantaStealer is gaining traction across underground forums and Telegram channels.
Security researchers warn that the malware, now declared production-ready by its operators, is designed to quietly harvest credentials, financial data, and sensitive files while evading traditional detection methods.
The malware has a “… completely fileless collection approach, with modules and the Chrome decryptor DLL being loaded and executed in-memory,” said Rapid7 researchers.
SantaStealer and the MaaS Economy
SantaStealer reflects the continued evolution of malware-as-a-service (MaaS), lowering the barrier to entry for cybercriminals while increasing the scale and speed of credential theft.
The malware targets widely used browsers, applications, and local data stores, making it relevant to enterprises, small businesses, and individual users alike.
Rapid7 Labs first identified SantaStealer in early December 2025 after detecting a suspicious Windows executable triggering generic infostealer rules commonly associated with the Raccoon stealer family.
According to Rapid7’s analysis, SantaStealer was previously advertised under the name BluelineStealer before undergoing a rebranding ahead of its release.
The stealer is marketed through Telegram channels and Russian-language underground forums, complete with an affiliate web panel that advertises advanced evasion techniques and enterprise-grade targeting.
Pricing ranges from approximately $175 per month for a basic tier to $300 per month for a premium offering.
Inside SantaStealer’s Data Theft Pipeline
SantaStealer is designed to operate largely in memory, reducing its reliance on dropped files and complicating detection by file-based security tools.
The malware collects credentials, cookies, cryptocurrency wallets, screenshots, documents, and application data, then compresses the stolen information into ZIP archives.
The malware splits these archives into 10 MB chunks and exfiltrates them to a command-and-control (C2) server over unencrypted HTTP.
Configuration data, including the C2 address and campaign identifiers, is embedded directly in the executable in plaintext — making early versions of the malware relatively easy to analyze and track.
SantaStealer employs a modular, multi-threaded architecture, allowing it to run multiple data-stealing components in parallel.
Dedicated modules target Chromium-based browsers, messaging platforms such as Telegram and Discord, gaming applications, and browser extensions.
Additional modules collect environment variables, screenshots, and locally stored documents.
SantaStealer’s Evasion Claims Fall Short
While SantaStealer’s operators advertise robust anti-analysis and antivirus evasion features, observed samples suggest these capabilities remain basic.
Researchers identified multiple builds containing unobfuscated strings, exported function names, and statically linked libraries such as cJSON, sqlite3, and miniz — an unusual oversight for malware claiming to be “fully undetected.”
Some samples include anti-virtual machine and anti-debugging checks, such as scanning for blocklisted processes, suspicious directory names, or virtualization services.
If a virtualized or analysis environment is detected, the malware terminates execution. However, these checks vary across samples, indicating active development rather than a mature evasion framework.
Notably, SantaStealer includes optional logic to avoid targeting systems using Russian keyboard layouts, a common trait among malware developed within Russian-speaking cybercrime ecosystems.
Layered Defenses Against Infostealers
Defending against SantaStealer relies on a layered approach that focuses on prevention, early detection, and limiting impact if compromise occurs.
- Keep endpoint protection platforms fully updated and tuned to detect infostealer and browser credential theft activity.
- Train users to avoid executing unverified software, malicious attachments, and social engineering lures such as fake verification prompts.
- Enforce application allowlisting and restrict execution from user-writable directories to block unauthorized binaries.
- Harden browser environments and credential storage, and require phishing-resistant MFA for sensitive applications.
- Monitor for suspicious browser behavior, process injection, and anomalous outbound HTTP traffic indicative of data exfiltration.
- Reduce blast radius by enforcing least privilege, limiting local administrator access, and segmenting endpoint access to critical systems.
Implemented together, these controls reduce exposure to infostealers while building more resilient endpoint and identity defenses.
MaaS Lowers the Bar for Attackers
SantaStealer reflects a broader trend in the cybercrime ecosystem, where malware-as-a-service (MaaS) offerings increasingly draw on legitimate open-source projects and emphasize rapid release cycles over strong operational security.
Even when early versions lack sophistication, fast iteration and wide distribution can quickly elevate emerging malware families into high-volume, persistent threats.
This trend reinforces the need for zero-trust principles, where implicit trust is eliminated and access is continuously verified.
