SantaStealer-BluelineStealer alliance reshapes ransomware ecosystem operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
SantaStealer has been rebranded from BluelineStealer and is being readied for a planned launch before the end of the year, signaling a shift in the malware ecosystem from development to commercialization. The operation matters because it pairs a Russian-speaking developer with a malware-as-a-service model, broadening potential access for criminal customers. Its public promotion on Telegram and hacker forums suggests an attempt to build market demand ahead of release.
Related Happenings
SantaStealer pre-launch memory-resident information stealer
Malware Activity
First: 16.12.2025 00:43
Last: 16.12.2025 00:43
Sources 1
How related:
A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection.
About this happening:
The **SantaStealer** malware-as-a-service has surfaced as a **pre-launch infostealer** that can harvest **browser, chat, crypto-wallet, and document data**, raising theft risk for...
SantaStealer pre-launch memory-resident information stealer
Malware ActivityHow related: A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection.
About this happening: The **SantaStealer** malware-as-a-service has surfaced as a **pre-launch infostealer** that can harvest **browser, chat, crypto-wallet, and document data**, raising theft risk for...
Timeline
-
16.12.2025 00:43 2 articles · 5mo ago
SantaStealer rebrand and prelaunch promotion
Initial DisclosureRapid7 says SantaStealer is a new malware-as-a-service information stealer advertised on Telegram and hacker forums, and that it is a rebranding of BluelineStealer being prepared for a planned launch before the end of the year. The operation is linked to a Russian-speaking developer and is sold with Basic and Premium subscriptions at $175/month and $300/month. Rapid7’s analysis found 14 data-collection modules that run in memory, steal browser, Telegram, Discord, Steam, cryptocurrency wallet, and document data, take desktop screenshots, archive stolen data into ZIP files, and exfiltrate it in 10MB chunks to a hardcoded C2 endpoint on port 6767; the samples also include an embedded executable to bypass Chrome’s App-Bound Encryption protections.
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43