SantaStealer is a new information-stealing malware that targets crypto wallets. Malware-as-a-service (MaaS) extracts private data related to any type of crypto.
Rapid7 researchers claim that SantaStealer is a rebrand of another infostealer called BluelineStealer. SantaStealer developer is rumored to be preparing a wider launch before the end of the year.
For the moment, the malware is advertised on Telegram and on hacker forums, and offered as a subscription service. Basic access costs $175 per month, while Premium access is more expensive and costs $300.
The developers of the SantaStealer malware claim enterprise-grade capabilities with antivirus bypasses and corporate network access.
SantaStealer targets crypto wallets
Crypto wallets are the main focus of SantaStealer. The malware targets crypto wallet apps like Exodus and browser extensions like MetaMask. It is designed to extract private data related to digital assets.
The malware doesn’t stop there. It also steals browser data including passwords, cookies, browsing history and saved credit card information. Messaging platforms such as Telegram and Discord are also being targeted. Steam data and local documents are included. The malware can also capture desktop screenshots.
It does this by removing or loading a built-in executable. This executable decrypts and injects code into the browser. This allows access to protected keys.
SantaStealer advertising in Russian and English. Source: Rapid7.
SantaStealer runs many data collection modules simultaneously. Each module runs in its own thread. The stolen data is written to memory, compressed into ZIP files, and exfiltrated in 10 MB chunks. The data is sent to a hard-coded command and control server via port 6767.
To access wallet data stored in browsers, the malware bypasses Chrome’s app-related encryption, introduced in July 2024. According to Rapid7, several information thieves have already defeated it.
The malware is presented as advanced, with complete evasion. But Rapid7 security researchers say the malware doesn’t match those claims. Current samples are easy to analyze and expose readable symbols and strings. This suggests rushed development and poor operational security.
“The thief’s anti-scan and stealth capabilities advertised in the web panel remain very basic and amateurish, with only the third-party Chrome decryptor payload somewhat hidden,” wrote Rapid7’s Milan Spinka.
The SantaStealer affiliate panel is neat. Operators can customize builds and steal everything or focus only on wallet and browser data. The options also allow operators to exclude the Commonwealth of Independent States (CIS) region and delay fulfillment.
SantaStealer has not yet become widespread and its method of distribution remains unclear. Recent campaigns favor ClickFix attacks because victims are tricked into pasting malicious commands into Windows terminals.
Other malware delivery routes remain common, researchers say. These include phishing emails, pirated software, torrents, malvertising, and misleading comments on YouTube.
Security researchers advise crypto users to remain vigilant and avoid unknown links and attachments.
Spinka wrote: “Avoid running any type of unverified code from sources such as pirated software, video game cheats, unverified plugins and extensions. »