top of page
perceptive_background_267k.jpg

New SantaStealer malware steals data from browsers, crypto wallets

Published:

15 December 2025 at 22:43:10

Alert date:

15 December 2025 at 23:01:25

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Web Technologies, Data Breach & Exfiltration

A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums. The malware operates in memory to avoid file-based detection and is designed to steal data from browsers and cryptocurrency wallets. It represents an actively distributed threat targeting sensitive user data and financial information.

Technical details

SantaStealer is a malware-as-a-service (MaaS) information stealer that operates in memory to avoid file-based detection. It's a rebranding of BluelineStealer. The malware uses 14 distinct data-collection modules running in separate threads, writes stolen data to memory, archives it into ZIP files, and exfiltrates data in 10MB chunks to a hardcoded C2 endpoint via port 6767. It includes an embedded executable to bypass Chrome's App-Bound Encryption protections. The malware targets browser data (passwords, cookies, history, credit cards), Telegram, Discord, Steam data, cryptocurrency wallets, and documents. It can take desktop screenshots and exclude CIS region systems.

Mitigation steps:

Check links and attachments in unrecognized emails
Avoid running unverified code from public repositories for extensions
Be cautious of ClickFix attacks that trick users into pasting dangerous commands into Windows terminal
Avoid downloading pirated software or torrents
Be wary of malvertising and deceptive YouTube comments

Affected products:

Chrome browsers
Cryptocurrency wallet applications and extensions
Telegram
Discord
Steam
Various web browsers

Related links:

https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/
https://www.bleepingcomputer.com/news/security/google-chrome-adds-app-bound-encryption-to-block-infostealer-malware/
https://www.bleepingcomputer.com/news/security/vidar-stealer-20-adds-multi-threaded-data-theft-better-evasion/

Related CVE's:

Related threat actors:

IOC's:

Command-and-control communication via port 6767, Data exfiltration in 10MB chunks, ZIP file archiving of stolen data, Embedded executable for Chrome App-Bound Encryption bypass

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page