{ "id": "54b518cf-bff8-416c-83bf-44f731791cf3", "created_at": "2026-04-06T00:15:26.504963Z", "updated_at": "2026-04-10T13:12:03.049333Z", "deleted_at": null, "sha1_hash": "4457a996b9621445b7c0530c09897472de84bf56", "title": "SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums | Rapid7 Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2913255, "plain_text": "SantaStealer is Coming to Town: A New, Ambitious Infostealer\r\nAdvertised on Underground Forums | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2025-12-15 · Archived: 2026-04-05 15:28:04 UTC\r\nUpdate from December 16, 2025: Shortly after publishing this blog post, we have observed a message from the\r\nofficial SantaStealer telegram channel announcing the release of the stealer. This means the stealer is now deemed\r\nproduction-ready by the developers and can be expected in the wild. Below is a screenshot of the original message\r\nin Russian as well as our translation to English.\r\nFigure 0: A message announcing the release of SantaStealer in Russian (left) and our translation to English (right)\r\nSummary\r\nRapid7 Labs has identified a new malware-as-a-service information stealer being actively promoted through\r\nTelegram channels and on underground hacker forums. The stealer is advertised under the name “SantaStealer”\r\nand is planned to be released before the end of 2025. Open source intelligence suggests that it recently underwent\r\na rebranding from the name “BluelineStealer.”\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 1 of 14\n\nThe malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of\r\napplications, and aims to operate entirely in-memory to avoid file-based detection. Stolen data is then compressed,\r\nsplit into 10 MB chunks, and sent to a C2 server over unencrypted HTTP.\r\nWhile the stealer is advertised as “fully written in C”, featuring a “custom C polymorphic engine” and being\r\n“fully undetected,” Rapid7 has found unobfuscated and unstripped SantaStealer samples that allow for an in-depth\r\nanalysis. These samples can shed more light on this malware’s true level of sophistication.\r\nDiscovery\r\nIn early December 2025, Rapid7 identified a Windows executable triggering a generic infostealer detection rule,\r\nwhich we usually see triggered by samples from the Raccoon stealer family. Initial inspection of the sample\r\n(SHA-256 beginning with 1a27…) revealed a 64-bit DLL with over 500 exported symbols (all bearing highly\r\ndescriptive names such as “payload_main”, “check_antivm” or “browser_names”) and a plethora of unencrypted\r\nstrings that clearly hinted at credential-stealing capabilities.\r\nWhile it is not clear why the malware authors chose to build a DLL, or how the stealer payload was to be invoked\r\nby a potential stager, this choice had the (presumably unintended) effect of including the name of every single\r\nfunction and global variable not declared as static in the executable’s export directory. Even better, this includes\r\nsymbols from statically linked libraries, which we can thus identify with minimal effort.\r\nThe statically linked libraries in this particular DLL include:\r\ncJSON, an “ultralightweight JSON parser”\r\nminiz, a “single C source file zlib-replacement library”\r\nsqlite3, the C library for interfacing with SQLite v3\r\nAnother pair of exported symbols in the DLL are named notes_config_size and notes_config_data. These point to\r\na string containing the JSON-encoded stealer configuration, which contains, among other things, a banner\r\n(“watermark”) with Unicode art spelling “SANTA STEALER” and a link to the stealer Telegram channel,\r\nt[.]me/SantaStealer.\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 2 of 14\n\nFigure 1: A preview of the stealer’s configuration\r\nFigure 2: A Telegram message from November 25th advertising the rebranded SantaStealer\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 3 of 14\n\nFigure 3: A Telegram message announcing the rebranding and expected release schedule\r\nVisiting SantaStealer’s Telegram channel, we observed the affiliate web panel, where we were able to register an\r\naccount and access more information provided by the operators, such as a list of features, the pricing model, or the\r\nvarious build configuration options. This allowed us to cross-correlate information from the panel with the\r\nconfiguration observed in samples, and get a basic idea of the ongoing evolution of the stealer.\r\nApart from Telegram, the stealer can be found advertised also on the Lolz hacker forum at lolz[.]live/santa/. The\r\nuse of this Russian-speaking forum, the top-level domain name of the web panel bearing the country code of the\r\nSoviet Union (su), and the ability to configure the stealer not to target Russian-speaking victims (described later)\r\nhints at Russian citizenship of the operators — not at all unusual on the infostealer market.\r\nFigure 4: A list of features advertised in the web panel\r\nAs the above screenshot illustrates, the stealer operators have ambitious plans, boasting anti-analysis techniques,\r\nantivirus software bypasses, and deployment in government agencies or complex corporate networks. This is\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 4 of 14\n\nreflected in the pricing model, where a basic variant is advertised for $175 per month, and a premium variant is\r\nvalued at $300 per month, as captured in the following screenshot.\r\nFigure 5: Pricing model for SantaStealer (web panel)\r\nIn contrast to these claims, the samples we have seen until now are far from undetectable, or in any way difficult\r\nto analyze. While it is possible that the threat actor behind SantaStealer is still developing some of the mentioned\r\nanti-analysis or anti-AV techniques, having samples leaked before the malware is ready for production use —\r\ncomplete with symbol names and unencrypted strings — is a clumsy mistake likely thwarting much of the effort\r\nput into its development and hinting at poor operational security of the threat actor(s).\r\nInterestingly, the web panel includes functionality to “scan files for malware” (i.e. check whether a file is being\r\ndetected or not). While the panel assures the affiliate user that no files are shared and full anonymity is guaranteed,\r\none may have doubts about whether this is truly the case.\r\nFigure 6: Web panel allows to scan files for malware.\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 5 of 14\n\nSome of the build configuration options within the web panel are shown in Figures 7 through 9.\r\nFigure 7: SantaStealer build configuration\r\nFigure 8: More SantaStealer build configuration options\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 6 of 14\n\nFigure 9: SantaStealer build configuration options, including CIS countries detection\r\nOne final aspect worth pointing out is that, rather unusually, the decision whether to target countries in the\r\nCommonwealth of Independent States (CIS) is seemingly left up to the buyer and is not hardcoded, as is often the\r\ncase with commercial infostealers.\r\nTechnical analysis of SantaStealer\r\nHaving read the advertisement of SantaStealer’s capabilities by the developers, one might be interested in seeing\r\nhow they are implemented on a technical level. Here, we will explore one of the EXE samples (SHA-256\r\nbeginning with 926a…), as attempts at executing the DLL builds with rundll32.exe ran into issues with the C\r\nruntime initialization. However, the DLL builds (such as SHA-256 beginning with 1a27…) are still useful for\r\nstatic analysis and cross-referencing with the EXE.\r\nAt the moment, detecting and tracking these payloads is straightforward, due to the fact that both the malware\r\nconfiguration and the C2 server IP address are embedded in the executable in plain text. However, if SantaStealer\r\nindeed does turn out to be competitive and implements some form of encryption, obfuscation, or anti-analysis\r\ntechniques (as seen with Lumma or Vidar) these tasks may become less trivial for the analyst. A deeper\r\nunderstanding of the patterns and methods utilized by SantaStealer may be beneficial.\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 7 of 14\n\nFigure 10: Code in the send_upload_chunk exported function references plaintext strings\r\nThe user-defined entry point in the executable corresponds to the payload_main DLL export. Within this function,\r\nthe stealer first checks the anti_cis and exec_delay_seconds values from the embedded config and behaves\r\naccordingly. If the CIS check is enabled and a Russian keyboard layout is detected using the\r\nGetKeyboardLayoutList API, the stealer drops an empty file named “CIS” and ends its execution. Otherwise,\r\nSantaStealer waits for the configured number of seconds before calling functions named check_antivm,\r\npayload_credentials, create_memory_based_log and creating a thread running the routine named ThreadPayload1\r\nin the DLL exports.\r\nThe anti-VM function is self-explanatory, but its implementation differs across samples, hinting at the ongoing\r\ndevelopment of the stealer. One sample checks for blacklisted processes (by hashing the names of running process\r\nexecutables using a custom rolling checksum and searching for them in a blacklist), suspicious computer names\r\n(using the same method) and an “analysis environment,” which is just a hard-coded blacklist of working\r\ndirectories, like “C:\\analysis” and similar. Another sample checks the number of running processes, the system\r\nuptime, the presence of a VirtualBox service (by means of a call to OpenServiceA with \"VBoxGuest\") and finally\r\nperforms a time-based debugger check. In either case, if a VM or debugger is detected, the stealer ends its\r\nexecution.\r\nNext, payload_credentials attempts to steal browser credentials, including passwords, cookies, and saved credit\r\ncards. For Chromium-based browsers, this involves bypassing a mechanism known as AppBound Encryption\r\n(ABE). For this purpose, SantaStealer embeds an additional executable, either as a resource or directly in section\r\ndata, which is either dropped to disk and executed (screenshot below), or loaded and executed in-memory,\r\ndepending on the sample.\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 8 of 14\n\nFigure 11: Execution of an embedded executable specialized in browser hijacking\r\nThe extracted executable, in turn, contains an encrypted DLL in its resources, which is decrypted using two\r\nconsecutive invocations of ChaCha20 with two distinct pairs of 32-byte key and 12-byte nonce. This DLL exports\r\nfunctions called ChromeElevator_Initialize, ChromeElevator_ProcessAllBrowsers and ChromeElevator_Cleanup,\r\nwhich are called by the executable in that order. Based on the symbol naming, as well as usage of ChaCha20\r\nencryption for obfuscation and presence of many recognizable strings, we assess with moderate confidence that\r\nthis executable and DLL are heavily based on code from the \"ChromElevator\" project\r\n(https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption), which employs direct syscall-based\r\nreflective process hollowing to inject code into the target browser. Hijacking the security context of a legitimate\r\nbrowser process this way allows the attacker to decrypt AppBound encryption keys and thereby decrypt stored\r\ncredentials.\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 9 of 14\n\nFigure 12: The embedded EXE decrypts and loads a DLL in-memory and calls its exports.\r\nThe next function called from main, create_memory_based_log, demonstrates the modular design of the stealer.\r\nFor each included module, it creates a thread running the module_thread routine with an incremented numerical\r\nID for that module, starting at 0. It then waits for 45 seconds before joining all thread handles and writing all files\r\ncollected in-memory into a ZIP file named “Log.zip” in the TEMP directory.\r\nThe module_thread routine simply takes the index it was passed as parameter and calls a handler function at that\r\nindex in a global table, for some reason called memory_generators in the DLL. The module function takes only a\r\nsingle output parameter, which is the number of files it collected. In the so helpfully annotated DLL build, we can\r\nsee 14 different modules. Besides generic modules for reading environment variables, taking screenshots, or\r\ngrabbing documents and notes, there are specialized modules for stealing data from the Telegram desktop\r\napplication, Discord, Steam, as well as browser extensions, histories and passwords.\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 10 of 14\n\nFigure 13: A list of named module functions in a SantaStealer sample\r\nFinally, after all the files have been collected, ThreadPayload1 is run in a thread. It sleeps for 15 seconds and then\r\ncalls payload_send, which in turn calls send_zip_from_memory_0, which splits the ZIP into 10 MB chunks that\r\nare uploaded using send_upload_chunk.\r\nThe file chunks are exfiltrated over plain HTTP to an /upload endpoint on a hard-coded C2 IP address on port\r\n6767, with only a couple special headers:\r\nUser-Agent: upload\r\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary[...]\r\nauth: [...]\r\nw: [...]\r\ncomplete: true (only on final request)\r\nThe auth header appears to be a unique build ID, and w is likely the optional “tag” used to distinguish between\r\ncampaigns or “traffic sources”, as is mentioned in the features.\r\nConclusion\r\nThe SantaStealer malware is in active development, set to release sometime in the remainder of this month or in\r\nearly 2026. Our analysis of the leaked builds reveals a modular, multi-threaded design fitting the developers’\r\ndescription. Some, but not all, of the improvements described in SantaStealer’s Telegram channel are reflected in\r\nthe samples we were able to analyze. For one, the malware can be seen shifting to a completely fileless collection\r\napproach, with modules and the Chrome decryptor DLL being loaded and executed in-memory. On the other hand,\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 11 of 14\n\nthe anti-analysis and stealth capabilities of the stealer advertised in the web panel remain very basic and\r\namateurish, with only the third-party Chrome decryptor payload being somewhat hidden.\r\nTo avoid getting infected with SantaStealer, it is recommended to pay attention to unrecognized links and e-mail\r\nattachments. Watch out for fake human verification, or technical support instructions, asking you to run\r\ncommands on your computer. Finally, avoid running any kind of unverified code from sources such as pirated\r\nsoftware, videogame cheats, unverified plugins, and extensions.\r\nStay safe and off the naughty list!\r\nRapid7 Customers\r\nIntelligence Hub\r\nCustomers using Rapid7’s Intelligence Hub gain direct access to SantaStealer IOCs, along with ongoing\r\nintelligence on new activity and related campaigns. The platform also has detections for a wide range of other\r\ninfostealers, including Lumma, StealC, RedLine, and more, giving security teams broader visibility into emerging\r\nthreats.\r\nIndicators of compromise (IoCs)\r\nSantaStealer DLLs with exported symbols (SHA-256)\r\n1a277cba1676478bf3d47bec97edaa14f83f50bdd11e2a15d9e0936ed243fd64\r\nabbb76a7000de1df7f95eef806356030b6a8576526e0e938e36f71b238580704\r\n5db376a328476e670aeefb93af8969206ca6ba8cf0877fd99319fa5d5db175ca\r\na8daf444c78f17b4a8e42896d6cb085e4faad12d1c1ae7d0e79757e6772bddb9\r\n5c51de7c7a1ec4126344c66c70b71434f6c6710ce1e6d160a668154d461275ac\r\n48540f12275f1ed277e768058907eb70cc88e3f98d055d9d73bf30aa15310ef3\r\n99fd0c8746d5cce65650328219783c6c6e68e212bf1af6ea5975f4a99d885e59\r\nad8777161d4794281c2cc652ecb805d3e6a9887798877c6aa4babfd0ecb631d2\r\n73e02706ba90357aeeb4fdcbdb3f1c616801ca1affed0a059728119bd11121a4\r\ne04936b97ed30e4045d67917b331eb56a4b2111534648adcabc4475f98456727\r\n66fef499efea41ac31ea93265c04f3b87041a6ae3cd14cd502b02da8cc77cca8\r\n4edc178549442dae3ad95f1379b7433945e5499859fdbfd571820d7e5cf5033c\r\nSantaStealer EXEs (SHA-256)\r\n926a6a4ba8402c3dd9c33ceff50ac957910775b2969505d36ee1a6db7a9e0c87\r\n9b017fb1446cdc76f040406803e639b97658b987601970125826960e94e9a1a6\r\nf81f710f5968fea399551a1fb7a13fad48b005f3c9ba2ea419d14b597401838c\r\nSantaStealer C2s\r\n31[.]57[.]38[.]244:6767 (AS 399486)\r\n80[.]76[.]49[.]114:6767 (AS 399486)\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 12 of 14\n\nMITRE ATT\u0026CK\r\nAccount Discovery (T1087)\r\nAutomated Exfiltration (T1020)\r\nData Compressed (T1002)\r\nBrowser Information Discovery (T1217)\r\nArchive Collected Data (T1560)\r\nData Transfer Size Limits (T1030)\r\nArchive via Library (T1560.002)\r\nAutomated Collection (T1119)\r\nExfiltration Over C2 Channel (T1041)\r\nClipboard Data (T1115)\r\nDebugger Evasion (T1622)\r\nEmail Account (T1087.003)\r\nFile and Directory Discovery (T1083)\r\nCredentials In Files (T1552.001)\r\nCredentials from Password Stores (T1555)\r\nData from Local System (T1005)\r\nCredentials from Web Browsers (T1503)\r\nFinancial Theft (T1657)\r\nCredentials from Web Browsers (T1555.003)\r\nCredentials in Files (T1081)\r\nMalware (T1587.001)\r\nProcess Discovery (T1057)\r\nLocal Email Collection (T1114.001)\r\nMessaging Applications (T1213.005)\r\nScreen Capture (T1113)\r\nServer (T1583.004)\r\nSoftware Discovery (T1518)\r\nSystem Checks (T1497.001)\r\nDLL (T1574.001)\r\nSystem Information Discovery (T1082)\r\nSystem Language Discovery (T1614.001)\r\nTime Based Evasion (T1497.003)\r\nVirtualization/Sandbox Evasion (T1497)\r\nDeobfuscate/Decode Files or Information (T1140)\r\nWeb Protocols (T1071.001)\r\nPrivate Keys (T1145)\r\nPrivate Keys (T1552.004)\r\nDynamic API Resolution (T1027.007)\r\nSteal Application Access Token (T1528)\r\nSteal Web Session Cookie (T1539)\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 13 of 14\n\nEmbedded Payloads (T1027.009)\r\nEncrypted/Encoded File (T1027.013)\r\nFile Deletion (T1070.004)\r\nFile Deletion (T1107)\r\nPortable Executable Injection (T1055.002)\r\nProcess Hollowing (T1055.012)\r\nProcess Hollowing (T1093)\r\nReflective Code Loading (T1620)\r\nSource: https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nhttps://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/" ], "report_names": [ "tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4457a996b9621445b7c0530c09897472de84bf56.pdf", "text": "https://archive.orkl.eu/4457a996b9621445b7c0530c09897472de84bf56.txt", "img": "https://archive.orkl.eu/4457a996b9621445b7c0530c09897472de84bf56.jpg" } }