A new and aggressive information stealer named SantaStealer has emerged as a significant threat to Windows users globally. This malware-as-a-service (MaaS) is actively being marketed on Telegram channels and underground hacker forums, with a full release anticipated by the end of 2025. SantaStealer represents a rebranding of the earlier BluelineStealer, indicating the dynamic and evolving nature of cybercrime tools designed to harvest sensitive user data, including documents, credentials, and cryptocurrency wallet information.
According to cybersecurity researchers at Rapid7, SantaStealer operates with extensive capabilities, exfiltrating a wide range of sensitive information from infected systems. The malware is designed to evade detection by running entirely in memory, a common technique to circumvent traditional file-based security solutions. Once data is collected, it is compressed, divided into 10 MB chunks, and transmitted to command-and-control (C2) servers via unencrypted HTTP connections.
SantaStealer: In-Memory Infection and Browser Credential Theft
Researchers discovered samples of SantaStealer after identifying a Windows executable that triggered generic information-stealer detection rules, similar to those associated with the Raccoon stealer family. Analysis of a 64-bit DLL file revealed a modular design, including functions for virtual machine detection before executing its primary payload. A notable feature of SantaStealer is its ability to steal browser credentials from Chromium-based browsers by bypassing App-Bound Encryption.
The malware achieves this sophisticated credential theft through a specialized tool called ChromElevator. This tool is embedded and executed within the malware, utilizing direct syscall-based reflective process hollowing to inject code into legitimate browser processes. This technique allows SantaStealer to decrypt AppBound encryption keys and access stored credentials without raising immediate alerts from security software.
Once the sensitive data is gathered, SantaStealer compresses it in memory. The exfiltration process occurs over plain HTTP to hardcoded C2 servers, typically operating on port 6767. This unencrypted transmission method, while effective for the threat actor, presents a potential vulnerability for detection by network security monitoring tools.
The developers of SantaStealer claim the malware is fully written in C and incorporates a custom polymorphic engine along with comprehensive anti-detection features. However, Rapid7’s analysis of unobfuscated and unstripped samples indicated significant operational security weaknesses in the threat actors’ implementation. These weaknesses provide security professionals with valuable insights into the malware’s actual sophistication level and the operational methods of the attackers.
The pricing model for SantaStealer as a malware-as-a-service ranges from $175 per month for basic functionalities to $300 per month for premium features. These premium options reportedly include custom implementation choices and file binding capabilities, offering a degree of flexibility for potential users in the cybercrime ecosystem.
Security professionals are urged to remain vigilant. Users should be cautious of unrecognized email attachments and suspicious download links, as these are common vector for the delivery of information-stealing malware like SantaStealer. The ongoing development and marketing of such tools underscore the persistent and evolving threat landscape for Windows users worldwide. The full release with advanced features planned for late 2025 suggests that SantaStealer will likely continue to pose a significant challenge to cybersecurity defenses in the coming years.