-
A new MaaS (Malware-as-a-Service) with the name, SantaStealer, hints at launching before 2025 ends to attack multiple platforms holding sensitive credentials of individuals.
-
The infostealer carries 14 adjustable modules and harnesses a common WinRAR loophole to infiltrate systems.
-
Amid its “fully undetected” claims, security researchers shine light on how easy the malware is to analyze and fish out.
Bad actors are prepping for the holiday with a new present, SantaStealer, a malware-as-a-service platform. It is being heavily monetized on Telegram and cybercrime hubs like Lolz (a forum on the dark web) as its developers promise a sophisticated innovation for hijacking credentials ranging from passwords to wallets of virtual assets.
The previous name of SantaStealer was BluelineStealer, and it is reportedly written 100% in the C programming language. The aim is to fetch and exfiltrate sensitive data such as documents, data of crypto wallet data, credentials, as well as details from most-used programs like Steam and Discord. The developers are eager to deploy it ahead of 2026.
Not So Invisible After All
SantaStealer’s creators boldly claim their malware is “fully undetected” by security software. Rapid7’s investigation tells a very different story. The samples they obtained were easily detected and analyzed. The malware contained unstripped symbols and unencrypted strings that revealed significant details about how it actually works.
According to Rapid7’s assessment, it’s “ambitious” yet “amateurish,” given that it’s modular and still underdeveloped. Its final capabilities remain uncertain as the developers continue building it out.
The SantaStealer web panel offers two subscription tiers. The basic plan costs $175 per month. The premium plan runs $300 monthly and includes extra features like a crypto clipper tool and a polymorphic C engine to generate unique stubs. This pricing is standard, given it’s a malware-as-a-service. So, bad actors with fewer skills can grasp sophisticated tools without financial hassles.
Fourteen Ways to Steal Your Data
The web panel allows buyers to customize their malware builds. Users can input their own Telegram bot token for forwarding stolen data from the command-and-control server. They can also set up fake error pages to distract victims while the malware does its dirty work.
SantaStealer includes 14 different modules that users can activate or deactivate through simple checkboxes. Most modules focus on specific types of data. These include browser extension data, Google Chrome credentials, Discord tokens, and crypto-related files.
One interesting option is a toggle for avoiding Commonwealth of Independent States countries. If activated, the malware terminates itself when it detects a Russian keyboard. This is common among cybercriminals from those regions who want to avoid local law enforcement attention.
Rapid7’s analysis revealed how SantaStealer actually operates. The malware performs basic anti-virtual machine checks first. Then it targets browser credentials before running its various modules. Each module runs in its own thread for efficiency.
The malware uses tooling, most likely the open-source ChromElevator tool, to bypass AppBound Encryption in Chromium-based browsers. This lets it access supposedly protected credential data.
Once all modules finish running, the collected files get written into a ZIP archive called Log.zip in the TEMP directory. This archive is then split into 10 MB chunks and sent to the hardcoded command-and-control server over unencrypted HTTP.
The developers claim SantaStealer can collect and exfiltrate data within just 20 seconds. The malware’s feature list also notes it includes a WinRAR export builder. This specifically exploits the WinRAR path traversal vulnerability CVE-2025-8088.
Avoid the “Naughty List,” Experts Advise
Micmicking the Santa Claus theme, security researchers advise users on how not to get into Santa’s naughty list (SantaStealer’s infection). Don’t be too fast with email attachments or links, especially unfamiliar ones. This is one key medium for spreading various infections. Rapid7 said in its blog post,
“Watch out for any fake human verifications or technical support manuals that ask you to run commands on your device this holiday season.”
In addition to the instruction, NEVER run any kind of “unverified code” from sources like videogame cheats, pirated tools, unverified plugins, as well as extensions.
The appearance of SantaStealer hints at the progress in the commodification of cybercrime inventions. Even amateur developers can now create and monetize malware-as-a-service platforms. Although this threat may not be as sophisticated as depicted, it’s still a major risk to users who fall for its delivery schemes.
