- SantaStealer targets browsers, wallets, email apps, documents and desktop screenshots
- Fourteen modules extract data simultaneously through separate execution threads
- Turnaround times are used to reduce immediate user suspicion
Experts have warned of a new strain of malware dubbed SantaStealer, which offers information theft capabilities via a malware-as-a-service model.
Rapid7 researchers (via BeepComputer), the operation is a rebranded version of BluelineStealer, whose activity is attributed to Telegram channels and underground forums.
Access is sold via monthly subscriptions priced at $175 and $300, placing the tool within the reach of lower-level cybercriminals rather than advanced operators.
SantaStealer Threat
SantaStealer is built around fourteen separate data collection modules, each running in its own execution thread, which extract browser credentials, cookies, browsing history, stored payment details, messaging application data, cryptocurrency wallet information, and some local documents.
The stolen data is written directly to memory, compressed into ZIP archives, and transmitted to a hard-coded command and control server via port 6767 in 10 MB segments.
The malware is also capable of capturing desktop screenshots while running and includes a built-in executable designed to bypass Chrome’s App Bound Encryption, a protection introduced in mid-2024.
This method has already been observed in other active information theft campaigns, as additional configuration options allow operators to delay execution, creating an artificial window of inactivity that can reduce immediate suspicion.
SantaStealer can also be configured to avoid systems located in the Commonwealth of Independent States region, a restriction commonly seen in malware developed by Russian-speaking actors.
At present, SantaStealer does not appear to be widely distributed, and researchers have not observed a large-scale campaign.
However, analysts note that recent threat activity favors ClickFix attacks, in which users are tricked into pasting malicious commands into Windows terminals.
Other likely infection vectors include phishing emails, pirated software installers, torrent downloads, malvertising campaigns, and misleading comments on YouTube.
Firewall protection alone is unlikely to prevent these social engineering-based entry points.
Antivirus detection remains effective against currently observed samples and malware removal the tools are capable of cleaning affected systems during controlled testing.
SantaStealer currently seems more notable for its marketing than its technical maturity, although further development could change its impact.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
