Rapid7 details SantaStealer malware-as-a-service

A new malware-as-a-service (MaaS) called SantaStealer is planned to be released by cybercriminals this holiday season, Rapid7 detailed in a report Monday.

SantaStealer, formerly called BluelineStealer, is being advertised on Telegram and cybercrime forums such as Lolz with an anticipated release date before the end of 2025.

The malware is reportedly written fully in C and aims to collect and exfiltrate sensitive information including documents, credentials, cryptocurrency wallet information and details from apps such as Discord and Steam.

Despite SantaStealer’s claims to be “fully undetected,” samples obtained by Rapid7 were easily detected and analyzed, containing unstripped symbols and unencrypted strings that revealed significant details about the malware’s inner workings.

Related reading:

Rapid7’s investigation of the MaaS’ samples, Telegram channel and web panel reveals an “ambitious” but “amateurish” modular infostealer, with its final capabilities yet to be seen as it continues to be actively developed.

SantaStealer includes 14 modules, targets WinRAR flaw

The SantaStealer web panel reveals several options for custom builds as well as claims made by its developers about what the MaaS will ultimately offer.

Two different plans are advertised, with a basic plan at $175 per month and a premium plan at $300, which provides more features including a crypto clipper tool and a polymorphic C engine to generate unique stubs.

The web panel allows users to customize the malware configuration with their own Telegram bot token for forwarding exfiltrated data from the command-and-control (C2) server and fake error page for distracting the user.

The user can check and uncheck boxes in the web panel to activate or deactivate 14 different modules, most of which focus on specific data to be stolen such as browser extension data, Google Chrome credentials, Discord tokens and crypto-related files.

One of the options was noted to be a toggle for avoiding targeting of Commonwealth of Independent States (CIS) countries, which terminates the malware if a Russian keyboard is detected.

Analyzing the malware itself, Rapid7 found that SantaStealer performs basic anti-virtual machine checks before first targeting browser credentials and then running modules, creating a new thread for each module function. The malware is noted to use tooling, most likely the open-source ChromElevator tool, to bypass AppBound Encryption (ABE) in Chromium-based browsers.

Once all modules have run, the collected files are written into a ZIP archive called Log.zip within TEMP directory, according to Rapid7. The archive is then split into 10 MB chunks that are sent to the hardcoded C2 server over unencrypted HTTP.

SantaStealer’s developers claim the infostealer is capable of collecting and exfiltrating data within 20 seconds. The malware’s list of features notes that it includes a WinRAR export builder for exploiting the WinRAR path traversal vulnerability CVE-2025-8088.  

To prevent SantaStealer infection, Rapid7 recommends exercising caution when dealing with unrecognized links or email attachments and warns of other infection vectors through which infostealers are likely to be spread.

“Watch out for fake human verification, or technical support instructions, asking you to run commands on your computer. Finally, avoid running any kind of unverified code from sources such as pirated software, videogame cheats, unverified plugins, and extensions. Stay safe and off the naughty list!” Rapid7’s blog post concludes.