Security researchers at Rapid7 said a new malware-as-a-service information stealer called SantaStealer is being advertised on Telegram and hacker forums and is promoted as operating in memory to avoid file-based detection; Rapid7 detailed its findings in a report.
Rapid7 attributed the project to a Russian-speaking developer and said the operation appears to be a rebranding of an earlier project called BluelineStealer. The malware is being marketed on subscription tiers, with a Basic plan advertised at $175 per month and a Premium plan at $300 per month, the researchers said.
The researchers said they obtained samples and access to an affiliate web panel and that the samples do not match the product’s claims of evading detection. Rapid7 reported that leaked samples included symbol names and unencrypted strings, which the company said likely undermines the operator’s efforts and indicates weak operational security.
According to Rapid7, the affiliate panel allows customers to configure builds and targeting scopes. The malware is modular: it uses 14 distinct data-collection modules, each running in its own thread, writes stolen data to memory, archives it into a ZIP file and exfiltrates it in 10MB chunks to a hardcoded command-and-control endpoint via port 6767. Rapid7 also said SantaStealer uses an embedded executable to bypass Chrome’s App-Bound Encryption protections introduced in July 2024.
Rapid7 said the modules target browser data such as passwords, cookies, history and saved credit cards, as well as Telegram, Discord and Steam data, cryptocurrency wallet apps and extensions, documents and screenshots. The panel reportedly includes options to exclude systems in the Commonwealth of Independent States and to delay execution to misdirect victims.
The researchers said SantaStealer is not yet known to have been distributed widely and its spreading mechanism is unclear, though they noted common criminal distribution methods such as ClickFix social engineering, phishing, pirated software or torrent downloads, malvertising and deceptive YouTube comments.
Rapid7 recommended that users check links and attachments in unfamiliar messages and avoid running unverified code from public repositories for browser extensions.