Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SantaStealer pre-launch memory-resident information stealer

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The SantaStealer malware-as-a-service has surfaced as a pre-launch infostealer that can harvest browser, chat, crypto-wallet, and document data, raising theft risk for would-be victims. It is being marketed on Telegram and hacker forums as memory-resident to reduce file-based detection. The operation is also tied to a planned rollout before the end of the year and includes multiple data-theft modules plus a hardcoded C2 path.

Related Happenings

CrystalRAT Telegram-promoted malware-as-a-service

Malware Activity
First: 02.04.2026 02:17 Last: 02.04.2026 02:17 Sources 1

About this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...

Open Happening

SantaStealer-BluelineStealer alliance reshapes ransomware ecosystem operations

Threat Actor Meta
First: 16.12.2025 00:43 Last: 16.12.2025 00:43 Sources 1

How related: According to security researchers at Rapid7, the operation is a rebranding of a project called BluelineStealer, and the developer is ramping up the operation ahead of a planned launch before the end of the year.

About this happening: **SantaStealer** has been **rebranded from BluelineStealer** and is being readied for a **planned launch before the end of the year**, signaling a shift in the malware ecosystem f...

Open Happening

Vidar Stealer 2.0 data-theft and evasion upgrade

Malware Activity
First: 22.10.2025 01:26 Last: 22.10.2025 01:26 Sources 1

About this happening: The release of **Vidar Stealer 2.0** is likely to increase infections because the malware now steals data faster and evades detection more effectively. The new build is a major re...

Open Happening

XenoRAT delivery and persistence activity

Malware Activity
First: 18.08.2025 22:38 Last: 18.08.2025 22:38 Sources 1

About this happening: **XenoRAT** is being dropped through **password-protected .ZIP archives** that hide a **.LNK** shortcut and use **obfuscated PowerShell** to fetch the payload, making delivery har...

Open Happening

Timeline

  1. 16.12.2025 00:43 2 articles · 5mo ago

    SantaStealer pre-launch malware disclosure and analysis

    Initial Disclosure

    SantaStealer emerged as a new MaaS information stealer advertised on Telegram and hacker forums as memory-resident, with evidence that it is a rebranding of BluelineStealer and is being prepared for a planned launch before the end of the year. The current samples show 14 data-collection modules, browser, Telegram, Discord, Steam, crypto-wallet, and document collection, screenshot capture, ZIP packaging, and exfiltration to a hardcoded C2 endpoint on port 6767, while also including an embedded executable to bypass Chrome’s App-Bound Encryption protections.

    Show sources
    Open in new tab