A new information stealer called SantaStealer has emerged as a serious threat to Windows users worldwide.
This malware-as-a-service tool is being aggressively marketed through Telegram channels and underground hacker forums, with plans for full release before the end of 2025.
The malware represents a rebranding of the earlier BluelineStealer, reflecting the evolving nature of the cybercrime landscape and the continuous development of sophisticated stealing tools designed to harvest sensitive user information.
The stealer’s capabilities are extensive and well-organized. SantaStealer collects and exfiltrates sensitive documents, user credentials, cryptocurrency wallet data, and information from a broad range of applications.
.webp "SantaStealer Attacks Users to Exfiltrates Sensitive Documents, Credentials, and Wallet Data 2")
The malware operates entirely in memory to avoid file-based detection, a critical feature for evading traditional security solutions.
Once collected, all stolen data is compressed, split into manageable 10 MB chunks, and sent to a command-and-control server through unencrypted HTTP connections.
The developers claim the malware is fully written in C with a custom polymorphic engine and complete anti-detection capabilities.
However, Rapid7 researchers identified unobfuscated and unstripped SantaStealer samples that provide an in-depth look at the malware’s actual sophistication level.
Their analysis reveals significant operational security weaknesses in the threat actors’ approach.
In-Memory Infection and Browser Credential Theft
Analysts detected the malware after discovering a Windows executable that triggered generic information-stealer detection rules typically associated with the Raccoon stealer family.
The initial analysis of a 64-bit DLL containing over 500 exported symbols with highly descriptive names, such as “payload_main” and “check_antivm,” quickly exposed the malware’s credential-stealing capabilities.
The technical implementation demonstrates a modular design where SantaStealer performs virtual machine detection before executing its main payload.
A particularly sophisticated aspect involves stealing browser credentials from Chromium-based browsers by bypassing App-Bound Encryption.
The malware achieves this by embedding and executing a specialized tool called ChromElevator, which employs direct syscall-based reflective process hollowing to inject code into legitimate browser processes.
This technique allows the stealer to decrypt AppBound encryption keys and access stored credentials without raising immediate suspicion.
The stolen data undergoes compression in memory and is exfiltrated over plain HTTP to hardcoded command-and-control servers on port 6767.
.webp "SantaStealer Attacks Users to Exfiltrates Sensitive Documents, Credentials, and Wallet Data 4")
Pricing for the malware-as-a-service ranges from $175 monthly for basic functionality to $300 for premium features, including custom implementation options and file binding capabilities.
.webp "SantaStealer Attacks Users to Exfiltrates Sensitive Documents, Credentials, and Wallet Data 5")
Security professionals should remain vigilant against unrecognized email attachments and suspicious download links that may deliver this emerging threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
