Back to threat alerts

SantaStealer Malware-as-a-Service

Rapid7 Labs has uncovered a new, actively developing Malware-as-a-Service (MaaS) threat known as "SantaStealer". Currently promoted via Telegram and underground forums (specifically the Russian-language forum Lolz), this malware is an evolution of the previously identified "BluelineStealer".

Threat alert
December 18, 2025

Despite its claims of stealth, early samples are unobfuscated, providing researchers with significant insight into its modular architecture and capabilities. The malware is designed to harvest credentials, cryptocurrency wallets, and sensitive documents, primarily targeting Windows environments.

SantaStealer has been identified as a direct rebrand of the BluelineStealer malware family. Technical analysis strongly indicates that the operators are Russian speakers, evidenced by the affiliate panel’s use of a .su (Soviet Union) top-level domain and specific configuration constraints designed to avoid targeting Commonwealth of Independent States (CIS) countries. The malware is currently being advertised and distributed through the Lolz hacker forum and a dedicated Telegram channel (t[.]me/SantaStealer).

The analysed samples appear as 64-bit DLLs or EXEs containing over 500 exported symbols. The developers have utilised several statically linked open-source libraries, including:

  • cJSON: For parsing JSON configurations.
  • miniz: For data compression (zlib replacement).
  • sqlite3: For database interfacing (crucial for browser data theft).
Execution Flow & Evasion

SantaStealer aims to operate largely in-memory to bypass file-based detection, though current samples still exhibit file-system artefacts.

  • CIS Check: Upon execution, the malware checks the system's keyboard layout. If a Russian layout is detected (and the anti_cis config is enabled), it drops a file named "CIS" and terminates.
  • Anti-Analysis/Anti-VM: The malware employs multiple checks before deploying its payload:
  • Scanning for blacklisted process names via a custom rolling checksum.
  • Checking for specific "analysis" directories (e.g., C:\analysis).
  • Detecting virtualisation services (e.g., OpenServiceA call for "VBoxGuest").
  • Performing time-based debugger checks.
Credential Theft & "ChromElevator"

A key feature of SantaStealer is its ability to bypass AppBound Encryption (ABE) in Chromium-based browsers.

  • Technique: It utilises a technique heavily based on the "ChromElevator" project.
  • Mechanism: The malware injects code into the target browser using direct syscall-based reflective process hollowing.
  • Encryption: The payload for this bypass is encrypted using ChaCha20 (using two pairs of 32-byte keys and 12-byte nonces).
  • Result: This allows the attacker to decrypt the browser's encryption keys and successfully exfiltrate stored passwords and cookies.
Exfiltration Protocol

Data exfiltration is currently unencrypted (HTTP), making network-level detection highly feasible.

  • Data Staging: Stolen data is compressed into a Log.zip file located in the Windows TEMP directory.
  • Chunking: The ZIP is split into 10 MB chunks.
  • Transmission: Data is sent via HTTP to a hardcoded C2 server on TCP port 6767.

Significant Network Indicators (HTTP Headers):

  • User-Agent: upload
  • Content-Type: multipart/form-data; boundary=----WebKitFormBoundary[...]
  • auth: [Unique Build ID]
  • w: [Traffic Source Tag]
  • complete: true (Sent only with the final chunk)
Mitigations
  • Port Blocking: Block outbound TCP traffic on port 6767 destined for unknown or non-business IP addresses.
  • Header Inspection: Configure Intrusion Detection Systems (IDS) or Web Application Firewalls (WAF) to alert on HTTP POST requests containing the header User-Agent: upload combined with the custom headers auth: and w:
Recommendations

To prevent initial infection and reduce the attack surface, the following strategic recommendations are advised:

  • Software Restriction Policies: Implement strict controls on the execution of unsigned binaries, particularly those originating from user-writable directories (like Downloads or Temp).
  • User Awareness Training: SantaStealer is heavily distributed via malvertising and compromised software sites. Users should be trained to:
  • Avoid downloading "cracked" software, keygens, or game cheats.
  • Recognise "Fake Browser Update" pages or "Human Verification" loops that prompt the user to run a script or executable.
  • Browser Security: Ensure all web browsers are patched to the latest versions. While SantaStealer currently attempts to bypass AppBound encryption, browser vendors frequently patch the specific syscall vulnerabilities these tools rely on.