- SantaStealer targets browsers, wallets, messaging apps, documents, and desktop screenshots
- Fourteen modules extract data simultaneously through separate execution threads
- Execution delays are used to reduce immediate user suspicion
Experts have warned of a new malware strain dubbed SantaStealer which offers information theft capabilities through a malware-as-a-service model.
Rapid7 researchers (via BleepingComputer), the operation is a rebranded version of BluelineStealer, with activity traced to Telegram channels and underground forums.
Access is sold through monthly subscriptions priced at $175 and $300, placing the tool within reach of lower-tier cybercriminals rather than advanced operators.
SantaStealer threat
SantaStealer is built around fourteen separate data collection modules, each operating in its own execution thread, which extract browser credentials, cookies, browsing history, stored payment details, messaging application data, cryptocurrency wallet information, and selected local documents.
Stolen data is written directly to memory, compressed into ZIP archives, and transmitted to a hardcoded command and control server using port 6767 in 10MB segments.
The malware is also capable of capturing desktop screenshots during execution, and includes an embedded executable designed to bypass Chrome’s App Bound Encryption, a protection introduced in mid-2024.
This method has already been observed in other active information-stealing campaigns, as additional configuration options allow operators to delay execution, creating an artificial inactivity window that may reduce immediate suspicion.
SantaStealer can also be configured to avoid systems located in the Commonwealth of Independent States region, a restriction commonly seen in malware developed by Russian speaking actors.
At present, SantaStealer does not appear to be widely distributed, and researchers have not observed a large-scale campaign.
However, analysts note recent threat activity favors ClickFix-style attacks, where users are tricked into pasting malicious commands into Windows terminals.
Other likely infection vectors include phishing emails, pirated software installers, torrent downloads, malvertising campaigns, and deceptive YouTube comments.
Firewall protection alone is unlikely to prevent these social engineering-driven entry points.
Antivirus detection remains effective against the currently observed samples, and malware removal tools are capable of cleaning affected systems in controlled testing.
SantaStealer currently appears more notable for its marketing than its technical maturity, though further development could change its impact.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Add Comment