SantaStealer stuffs credentials, crypto wallets into a brand new bag

A new, modular infostealer called SantaStealer, advertised on Telegram with a basic tier priced at $175 per month, promises to make criminals' Christmas dreams come true. It boasts that it can run "fully undetected" even on systems with the "strictest AntiVirus" and those belonging to governments, financial institutions, and other prime targets. Its Russian-speaking operators released the credential- and wallet-stealing malware on Monday, and while infostealers are never welcome news, it does come with a gift to defenders: the samples seen to date are "far from undetectable" and very easy to analyze. This is according to Rapid7 security researcher Milan Špinka, who posted a blog about the stealer shortly before the malware developers released their shiny new tool. "It's difficult to tell if the samples we observe now are the latest builds of SantaStealer, or if there might be a delay and we are only now seeing earlier versions," Špinka told The Register. "Either way, the payloads we analyzed lacked significantly in anti-analysis and evasion capabilities, only implementing a very basic anti-VM/anti-debugging check." He added that the samples analyzed by the malware-hunting team "include original names of functions and global variables and do not perform any kind of string encryption or code obfuscation, making analysis rather simple." Still, it is an infostealer, and this type of malware is a favorite of ransomware gangs and other financially motivated criminals to gain initial access to victims' IT systems. So it's not something that you want to inadvertently download and run on your computer, thus giving attackers your stored usernames and passwords for sensitive accounts and corporate networks. We recommend avoiding unrecognized links and email attachments as well as watching out for fake human verification or tech support instructions to run commands on your computer "SantaStealer goes after sensitive documents, credentials, and crypto wallets," Špinka said. "We recommend avoiding unrecognized links and email attachments as well as watching out for fake human verification or tech support instructions to run commands on your computer." The Rapid7 team first spotted SantaStealer earlier this month and analyzed unobfuscated and unstripped samples. The malware, a 64-bit DLL, contained more than 500 exported symbols with self-explanatory names such as "payload_main," "check_antivm," "browser_names," "notes_config_size," and "notes_config_data," plus "a plethora" of unencrypted strings indicating credential-stealing capabilities. Blueline Stealer rebrand One of these strings contained a link to the SantaStealer Telegram channel, which announced it as a rebranding of an earlier stealer called Blueline Stealer, operated by a pair of anonymous developers with the Telegram handles @weuploaddata (display name "Cracked") and @furixlol (display name "Furix"). "It is unclear why they decided to rename the stealer pre-launch; however, it could be part of the rebrand effort as a means of drawing attention through a catchy name," Špinka told The Register. "We can trace the activities of Blueline Stealer back to July 2025 when the developers were sharing proof of logs in their dedicated Telegram channel for this." The developers for Blueline Stealer are an actor with the handle "Cracked" and a partner with the handle "Furix." From the Telegram channel, the researchers found the affiliate web panel with pricing info: the basic variant costs $175 per month, while the premium variant carries a $300 monthly charge. Rhadamanthys malware admin rattled as cops seize a thousand-plus servers Gootloader malware back for the attack, serves up ransomware Phishing platforms, infostealers blamed as identity attacks soar Get ready for 2026, the year of AI-aided ransomware In addition to Telegram, the developers also advertise SantaStealer on a Russian-speaking hacker forum, Lolz. "The use of this Russian-speaking forum, the top-level domain name of the web panel bearing the country code of the Soviet Union (su), and the ability to configure the stealer not to target Russian-speaking victims (described later) hints at Russian citizenship of the operators — not at all unusual on the infostealer market," Špinka wrote in the blog. Based on the samples analyzed, the stealer appears to be moving toward a fileless collection, with the modules and the Chrome decryptor DLL being loaded and executed in-memory. This helps the malware avoid file-based detection. After stealing users' data, the malware compresses it and splits it into 10 MB chunks before sending it to a command-and-control server over unencrypted HTTP. In addition to the technical analysis, Rapid7's write-up includes a list of indicators of compromise, so be sure to check those out and, as Špinka urges heading into the holidays: "stay safe and off the naughty list!" ®