SantaStealer

SantaStealer is a Windows malware-as-a-service information stealer, also described as a rebrand of BlueLineStealer/BluelineStealer, that began public promotion on Telegram and underground forums in late 2025 with a planned release before the end of 2025 and reporting of first release in December 2025. It is marketed by Russian-speaking operators and multiple sources assess it as likely tied to the Russian-speaking cybercrime ecosystem; its panel and configuration also support excluding CIS/Russian-speaking systems. SantaStealer is modular and multi-threaded, with 14 data-collection modules reported in current analyses. It targets browser credentials and data including passwords, cookies, history, credit cards, browser sessions, and autofill data; cryptocurrency wallets; messaging and application data including Telegram, Discord, and Steam; screenshots; sensitive documents; and broader application data. Current reporting states it is written in C and uses statically linked libraries including cJSON, miniz, and sqlite3. Samples have been described as 64-bit Windows DLLs with hundreds of exported functions and descriptive symbols. The malware is advertised as operating primarily or entirely in memory to evade file-based detection, and reporting notes that modules and a Chrome decryptor DLL are loaded in-memory as part of a shift toward fileless collection. For Chromium credential theft, analyses report use of an embedded executable or ChromElevator-based component to bypass App-Bound Encryption, including DLL injection/direct syscalls and reflective process hollowing techniques. SantaStealer performs configuration checks, delayed execution, optional CIS-region termination via keyboard layout detection, and basic anti-analysis measures such as process blacklists, uptime checks, service queries, anti-VM checks, and anti-debugging. Stolen data is collected in memory, archived into ZIP files such as Log.zip, split into 10 MB chunks, and exfiltrated to hard-coded command-and-control endpoints over unencrypted HTTP; some reporting specifies port 6767 and HTTP POST requests with unique identifiers and campaign tags. Publicly reported C2 indicators include 31[.]57[.]38[.]244:6767 and 80[.]76[.]49[.]114:6767. Despite advertising claims of being fully undetected and highly evasive, multiple analyses state current samples are rudimentary, unobfuscated, and easy to analyze, with unencrypted strings, plain-text configuration, and leaked samples exposing descriptive function names and symbols. SantaStealer has also been observed as a payload family distributed by Amadey botnet/pay-per-install campaigns in March 2026 alongside other stealers and RATs. Distribution methods are not definitively established in the provided content, but reporting notes likely or possible vectors including phishing, pirated software, torrent downloads, malvertising, ClickFix/social engineering, deceptive YouTube comments, and broader underground affiliate distribution.