SantaStealer Malware-as-a-Service Targets Browsers and Crypto Wallets

First reported

16.12.2025 00:43

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A new malware-as-a-service (MaaS) named SantaStealer is being advertised on Telegram and hacker forums. Developed by a Russian-speaking actor, it is a rebranded version of BluelineStealer. The malware steals data from browsers, cryptocurrency wallets, and other applications, operating in memory to avoid file-based detection. Despite claims of advanced evasion techniques, samples analyzed by Rapid7 reveal poor operational security and incomplete development. SantaStealer uses 14 data-collection modules to exfiltrate information via a hardcoded C2 endpoint. The malware is not yet fully operational, but its planned distribution methods include ClickFix attacks, phishing, pirated software, and malvertising.

Timeline

16.12.2025 00:43 1 articles · 19h ago

SantaStealer Malware-as-a-Service Advertised Ahead of Launch
SantaStealer, a new malware-as-a-service, is being advertised on Telegram and hacker forums. Developed by a Russian-speaking actor, it is a rebranded version of BluelineStealer. The malware targets browsers, cryptocurrency wallets, and other applications, using 14 data-collection modules to exfiltrate information. Rapid7's analysis revealed poor operational security, with unencrypted strings and leaked samples. The malware is not yet fully operational, but its planned distribution methods include ClickFix attacks, phishing, pirated software, and malvertising.
Show sources

New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
Open in new tab

Information Snippets

SantaStealer is a rebranding of BluelineStealer, developed by a Russian-speaking actor.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
The malware operates in memory to avoid file-based detection and uses 14 distinct data-collection modules.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
SantaStealer targets browser data, Telegram, Discord, Steam, cryptocurrency wallets, and documents.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
The malware exfiltrates data in 10MB chunks via port 6767 to a hardcoded C2 endpoint.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
Rapid7 analyzed samples and found poor operational security, with unencrypted strings and leaked samples.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
SantaStealer can bypass Chrome’s App-Bound Encryption protections introduced in July 2024.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
The malware offers configuration options to exclude systems in the CIS region and delay execution.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43
Planned distribution methods include ClickFix attacks, phishing, pirated software, and malvertising.
First reported: 16.12.2025 00:43

1 source, 1 article
Show sources
- New SantaStealer malware steals data from browsers, crypto wallets — www.bleepingcomputer.com — 16.12.2025 00:43

Summary

Timeline

SantaStealer Malware-as-a-Service Advertised Ahead of Launch

Information Snippets