SantaStealer Malware-as-a-Service Launches Just in Time for the Holidays

A new malware-as-a-service infostealer has entered the cybercrime marketplace with holiday-themed branding and an ambitious feature set. SantaStealer, released on December 16, 2025, offers cybercriminals a turnkey credential and cryptocurrency theft platform for as little as $175 per month—just in time to capitalize on increased online shopping and financial activity during the holiday season.

TL;DR

What happened: New Russian-developed infostealer "SantaStealer" launched on Telegram and hacker forums
Who's affected: Windows users targeted for browser credentials, crypto wallets, and messaging app data
Severity: Medium - commodity malware with broad targeting capabilities
Action required: Avoid unverified downloads, enable MFA everywhere, use hardware security keys for crypto

What is SantaStealer?

SantaStealer is a modular Windows infostealer advertised through Russian Telegram channels and the Lolz hacker forum. Rapid7 Labs identified the malware in early December 2025 when samples triggered detection rules typically associated with the Raccoon stealer family.

Open source intelligence suggests SantaStealer is a rebranding of BluelineStealer, with the developers pivoting to seasonal marketing. The malware reached production-ready status on December 16, 2025, when the official Telegram channel announced general availability.

Pricing Structure

Basic subscription: $175/month
Premium subscription: $300/month

The premium tier likely includes additional features, support, or build customization options common to malware-as-a-service operations.

How SantaStealer Works

SantaStealer employs 14 distinct data-collection modules, each running in its own thread to maximize theft efficiency. The modular architecture targets:

Browser Data

Saved passwords and autofill data
Cookies and session tokens
Browsing history
Saved credit card information

The malware uses an embedded executable to bypass Chrome's App-Bound Encryption protections, demonstrating the developers' awareness of modern browser security features.

Cryptocurrency Wallets

Both wallet applications and browser extensions are targeted, including popular options like MetaMask, Exodus, and Atomic Wallet.

Messaging Applications

Telegram session data
Discord tokens
Steam credentials

Additional Capabilities

Desktop screenshots capturing current activity
Document theft from common locations

Exfiltration Method

Stolen data is written to memory, archived into a ZIP file, and exfiltrated in 10MB chunks to a hardcoded command-and-control endpoint via port 6767. This chunked approach helps evade network monitoring that might flag large single transfers.

Attribution and Developer Profile

Multiple indicators point to Russian-speaking developers:

Distribution channels - Telegram and Lolz forum are popular in Russian-speaking cybercrime communities
Domain registration - The web panel uses a .su top-level domain (Soviet Union country code)
Victim exclusions - The stealer can be configured to skip Russian-speaking victims
Language analysis - Telegram channel communications and code comments suggest native Russian speakers

Why This Matters

Despite holiday-themed marketing gimmicks, SantaStealer represents the continued commoditization of credential theft capabilities. The malware-as-a-service model lowers barriers to entry for aspiring cybercriminals, enabling anyone with cryptocurrency to purchase turnkey data theft infrastructure.

The timing of the release—just before peak holiday shopping season—appears deliberate. Increased online transactions, gift card purchases, and cryptocurrency activity create more opportunities for credential theft to yield immediate financial returns.

Detection Reality

Despite developer claims that SantaStealer is "particularly stealthy and hard to detect," Rapid7 researchers found the opposite: "The samples we have seen until now are far from undetectable, or in any way difficult to analyze."

The malware's configuration and C2 IP address are embedded in plain text within the executable, making tracking and blocking relatively straightforward for security teams with appropriate tooling.

Recommended Mitigations

Verify download sources - Only install software from official sources; avoid pirated software, game cheats, and unverified plugins
Enable MFA everywhere - Multi-factor authentication prevents stolen passwords from enabling account access
Use hardware security keys - For cryptocurrency and high-value accounts, hardware keys provide strongest protection
Browser security hygiene - Don't save passwords in browsers; use dedicated password managers
Monitor for suspicious activity - Watch for unexpected login notifications or account changes
Keep systems updated - Ensure Windows and browsers have latest security patches

Frequently Asked Questions

How does SantaStealer spread? Like most infostealers, distribution likely occurs through phishing emails, malicious downloads disguised as legitimate software, fake CAPTCHA pages directing users to run commands, and compromised websites serving drive-by downloads.

Can antivirus detect SantaStealer? Yes—despite developer claims, the malware is not particularly evasive. Updated antivirus software and endpoint detection tools should identify known samples. However, fresh builds may temporarily evade signature-based detection.

What should I do if I suspect infection? Immediately change passwords for all accounts accessed from the affected system, starting with financial and email accounts. Enable MFA where available. Monitor financial statements and credit reports for unauthorized activity. Consider the system compromised until a full rebuild.

Sources: Rapid7 Blog, BleepingComputer, The Register