- SantaStealer targets browsers, wallets, messaging apps, documents and desktop screens
- Fourteen modules extract data simultaneously through separate threads of execution
- Execution delays are used to reduce the immediate suspicion of users
Experts have warned of a new malware strain called SantaStealer, which offers information theft via a malware-as-a-service model.
Rapid7 researchers (via Bleeping Computer), the operation is a rebranded version of BluelineStealer, with activity traced to Telegram channels and underground forums.
Access is sold through monthly subscriptions priced between $175 and $300, putting the tool within reach of low-level cybercriminals rather than advanced operators.
SantaStealer threat
SantaStealer is built around fourteen separate data collection modules, each operating in its own thread of execution, which extracts browser information, cookies, browsing history, stored payment information, messaging application data, cryptocurrency wallet information, and selected local documents.
Stolen data is written directly to memory, compressed into ZIP archives, and transmitted to a hard-coded command and control server using port 6767 in 10 MB segments.
The malware is also capable of capturing desktop screenshots during execution and includes an embedded executable designed to bypass Chrome’s App Bound Encryption, a protection introduced in mid-2024.
This method has already been observed in other active information-stealing campaigns, as additional configuration options allow operators to delay execution, creating an artificial window of inactivity that can reduce immediate suspicion.
SantaStealer can also be configured to avoid systems located in the Commonwealth of Independent States region, a restriction commonly seen in malware developed by Russian-speaking actors.
At present, SantaStealer does not appear to be widespread, and researchers have not observed a large-scale campaign.
However, analysts note that recent threat activity favors ClickFix attacks, where users are tricked into entering malicious commands into Windows terminals.
Other likely infection vectors include phishing emails, pirated software installers, torrent downloads, malvertising campaigns and misleading YouTube comments.
Firewall protection alone is unlikely to prevent these social engineering-driven entry points.
Antivirus detection remains effective against the currently observed samples and malware removal tools are able to clean affected systems in controlled testing.
SantaStealer currently appears more notable for its marketing than its technical maturity, although further development may change its impact.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
