Cybercriminals Deck the Halls: “SantaStealer” Malware Targets Your Wallets, Passwords, and Privacy

It’s not the kind of gift you want in your digital stocking: a newly discovered malware operation, dubbed SantaStealer, is making waves on underground forums and Telegram channels. While its operators boast about undetectable credential theft and advanced features, cybersecurity researchers have poked holes in its holiday cheer - revealing operational slip-ups that may give defenders the upper hand, for now.

The New Wave of Malware-as-a-Service

SantaStealer exemplifies the growing trend of “malware-as-a-service” (MaaS), where cybercriminals rent out ready-made attack tools to affiliates. Promoted as a successor to “BluelineStealer,” SantaStealer is scheduled for a broader release by the end of 2025. The malware’s operators advertise it as “fully undetectable,” written in C, and armed with a custom polymorphic engine - features meant to lure buyers seeking fresh ways to bypass antivirus defenses.

But the reality is less impressive. Rapid7 Labs researchers, who first spotted SantaStealer in December 2025, found that leaked samples contain more than 500 function names and a trove of plaintext configuration data. These lapses make the malware unusually visible to security tools, contrary to its marketing hype.

How SantaStealer Works

Once deployed - typically via phishing links, malicious attachments, or pirated software - the malware springs into action entirely in memory, leaving few artifacts on disk. Its modular design includes specialized routines for stealing data from browsers (especially Chromium-based ones), messaging apps like Telegram and Discord, and online gaming platforms such as Steam. The malware can also harvest screenshots, environment variables, and autofill data, compressing everything into encrypted ZIP files and sending them to remote servers over unencrypted HTTP.

SantaStealer’s technical tricks include bypassing browser encryption with an embedded executable based on the open-source ChromElevator project, and deploying anti-analysis tactics like checking for virtual machines or suspicious system setups. Notably, it avoids running on systems with Russian-language keyboards - hinting at the operators’ ties to the Commonwealth of Independent States.

Criminal Ambitions, Amateur Mistakes

SantaStealer’s operators offer a slick web panel for affiliates, with tiered pricing and build customization. But their lack of operational security - such as releasing development builds with unencrypted code and hardcoded server addresses - has handed defenders a head start. For now, security teams can easily flag SantaStealer using the very clues left behind by its creators.

Experts recommend vigilance: never run untrusted files, beware of social engineering tricks and dubious downloads, and keep endpoint protection updated with the latest threat indicators.