Naughty List: SantaStealer Malware Unwrapped—The “New” Holiday Threat is Just Rebranded Code

In the run-up to the New Year holidays, underground marketplaces often see a surge of freshly minted data-stealing tools, and this time SantaStealer is being aggressively promoted across Telegram channels and hacker forums. It is advertised as a memory-resident piece of malware designed to evade security defenses, yet early analyses suggest that reality falls short of the marketing claims.

According to Rapid7, SantaStealer appears to be little more than a rebranding of the BluelineStealer project, with its developer rushing to push a release before year’s end. As the report notes, leaked samples contain numerous analytical breadcrumbs—including readable strings and symbol names—indicating poor operational discipline and undermining any serious attempt at stealth. The swift and reliable evasion touted in promotional materials was not observed in the variants examined by Rapid7.

Access to the affiliate panel suggests that “customers” can generate builds with varying depths of data theft, ranging from a generic configuration to profiles tailored for specific data types. Internally, SantaStealer employs 14 collection modules running in parallel: harvested data is written to memory, compressed into ZIP archives, and exfiltrated in 10-MB chunks to a designated command server via port 6767.

Its targets are typical for this malware class: browser passwords, cookies, browsing history, stored payment cards, data from Telegram, Discord, and Steam, cryptocurrency wallet applications and extensions, as well as documents. Desktop screenshots are also supported.

The report further highlights that the stealer leverages a built-in executable component to bypass Chrome’s App-Bound Encryption, introduced in July 2024 and already under attack by other active stealers. Configuration options also include excluding systems located in CIS countries and introducing a delayed execution phase to confuse victims with a period of apparent inactivity.

No large-scale distribution of SantaStealer has yet been observed, leaving its delivery mechanisms uncertain. Rapid7 considers scenarios involving ClickFix—where victims are persuaded to paste malicious commands into the Windows terminal—as well as more traditional vectors such as phishing campaigns, pirated software, torrents, malvertising, and deceptive YouTube comments.

As basic defensive measures, Rapid7 advises scrutinizing links and attachments from unexpected emails and avoiding the execution of unverified code from public repositories when installing extensions.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy