A new Santa-themed infostealer was released into the wild on Tuesday, taking the concept of holiday shopping to an entirely new level. The “ready-to-go” Windows-targeting malware is now being offered for sale on Telegram and the dark web.
-
SantaStealer, a new Windows infostealer sold via Telegram and dark web forums, is now live and targets Windows 7–11.
-
The stealthy stealer runs entirely in memory to evade detection and is marketed with SaaS-style pricing, including a $1,000 lifetime plan.
-
The malware steals credentials, wallets, and documents, signaling a growing, professionalized cybercrime economy ahead of the holidays.
Aptly named “SantaStealer” by the Russian cybercriminal outfit who created it, the “malware-as-a-service information stealer” was first identified by Rapid7 Labs earlier this week.
The threat researchers had first observed the hacker operation actively promoting the “still-in-development” malware on Telegram channels, underground hacker forums, and the Russian-language hacker forum "Lolz."
But now, Rapid7 says the “production-ready” SantaStealer has been officially released in the wild as of Tuesday, warning defenders to be on the look out.
Ensar Seker, CISO at SOCRadar says SantaStealer is “another reminder of how the threat landscape is evolving into a criminal SaaS economy.”
“What’s particularly concerning is the move toward memory-only operations; this significantly lowers the detection footprint, bypassing traditional AV and EDR tools,” Seker explains.
Can infect machines running Windows 7 through 11
Thought to be a rebrand of “BluelineStealer,” the malware-as-a-service (MaaS) information stealer is "a data theft program for Windows, developed in C,” the Russian threat actor boasted in a Telegram message sent to followers.
“It works without dependencies and is completely self-contained. The program runs on any Windows machine from version 7 to 11,” the message says, translated from Russian.
Once the target device is infected, the malware service is designed to “extract all valuable information,” and most importantly, “at an affordable price,” the threat actor states.
Seker says, “Attribution to a Russian-speaking developer, rebranding from BluelineStealer, and the use of Telegram for distribution all point to an increasingly professionalized cybercrime ecosystem.”
The CISO also notes that the pricing tiers and marketing model mimic legitimate software services, further lowering the barrier to entry for cybercriminals.
SantaStealer offers lifetime access
The gang offers three plans to choose from, including a basic tier for $175 per month and a premium plan for $300 per month. SantaStealer further advertises a lifetime plan, costing $1000.
The affiliate pricing apparently includes "a web panel for creating, managing, and editing assemblies” and “logs that can be configured to be sent to Telegram or to a C2 server.”
Additionally, the service highlights the user's ability to configure modules to collect specific data and also select which modules to use, including the capability to configure the stealer to avoid targeting Russian-speaking victims and CIS nations, according to the blog.
This capability is relatively uncommon among Russian-origin threat groups, as the option to avoid CIS targets is typically unavailable. Instead, the developers will hardcode it directly into the malware, Rapid7 explains.
SantaStealer can collect hoards of data
Rapid7 describes the infostealer as capable of collecting and exfiltrating sensitive documents, credentials, digital wallets, and data from a broad range of applications.
What’s more, the researchers say it operates “entirely in-memory” allowing the malware to evade file-based detection, one of its more sophisticated attributes.
Once the stolen data is exfiltrated from the device, it is “then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP,” Rapid7 says.
Rapid7 says by offering lifetime access, along with an extensive list of features listed for its web panel, including "anti-analysis techniques, antivirus software bypasses, and deployment in government agencies or complex corporate networks," it's quite clear the malware operators have "ambitious plans" for the future.
Whether the threat actor can pull it off remains another question entirely, the researchers say.
The researchers note that other aspects of the malware, such as the stealer’s “anti-analysis and stealth capabilities advertised in the web panel,” are described as “very basic and amateurish, with only the third-party Chrome decryptor payload being somewhat hidden.”
How to protect against SantaStealer
To protect against the new SantaStealer, Rapid7 recommends to:
- Pay attention to unrecognized links and e-mail attachments
- Watch out for fake human verification or technical support instructions, asking you to run commands on your computer.
- Avoid running any unverified code from sources such as pirated software, video game cheats, unverified plugins, or extensions.
Seker suggests that to further harden systems, “organizations should prioritize behavioral monitoring and memory analysis as part of their defense-in-depth strategy."
The Rapid7 intel team also provides a full list of Indicators of Compromise (IOCs) and a technical analysis, which the researchers says, at the moment, is fairly straightforward, as the malware configuration and the C2 server IP address are embedded in the executable in plain text.
However, the researchers also note that this could change down the line if the threat actor chooses to add some form of “encryption, obfuscation, or anti-analysis techniques,” as can be observed in similar malware such as the recently upgraded and more persistent Vidar Stealer and LummaC2 variants.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked