SantaStealer Unwrapped: New MaaS Info-Stealer Rebrands Blueline to Steal Crypto and Credentials

As the 2025 holiday season approaches, cybercriminals are unwrapping a new tool designed to spoil the festivities. Rapid7 Labs has uncovered a sophisticated new information stealer, aggressively marketed on the dark web under the festive moniker “SantaStealer.”

Discovered in early December 2025, this Malware-as-a-Service (MaaS) threat is currently being promoted across Telegram channels and underground hacker forums, with a full release planned before the year’s end.

While the branding is new, the threat actor behind it likely is not. Open-source intelligence indicates that SantaStealer is a strategic rebrand of a previous tool known as “BluelineStealer”.

The operators have ambitious plans for this iteration. Advertisements claim the malware is “fully written in C” and features a “custom C polymorphic engine” designed to make it “fully undetected” by antivirus software. However, researchers tell a different story.

Rapid7 analysts managed to acquire unobfuscated samples of the malware, revealing a disconnect between the marketing hype and the technical reality. “Rapid7 has found unobfuscated and unstripped SantaStealer samples that allow for an in-depth analysis. These samples can shed more light on this malware’s true level of sophistication”.

Contrary to the “undetectable” claims, the samples analyzed by Rapid7 were surprisingly chatty. The malware was packaged as a 64-bit DLL file teeming with over 500 exported symbols—essentially a roadmap of its internal functions.

“Initial inspection of the sample… revealed a 64-bit DLL with over 500 exported symbols… and a plethora of unencrypted strings that clearly hinted at credential-stealing capabilities”.

The analysis exposed the malware’s reliance on standard open-source libraries, including:

• CJSON: An “ultralightweight JSON parser”.
• miniz: A library for data compression.
• sqlite3: Used for interfacing with database files, likely to parse browser data.

SantaStealer is designed to be a vacuum for sensitive data. It targets “credentials, wallets, and data from a broad range of applications,” aiming to execute entirely in-memory to bypass file-based security scans.

Once the data is harvested, the malware compresses it and splits it into manageable 10 MB chunks before sending it to a Command-and-Control (C2) server over unencrypted HTTP.

Interestingly, the malware includes a “watermark” feature in its configuration—a banner displaying “SANTA STEALER” in Unicode art, along with a link to their Telegram channel.

Despite the high price tag—subscriptions run up to $300 per month for the “Premium” plan—Rapid7’s analysis suggests the tool may not be as advanced as advertised.

“The anti-analysis and stealth capabilities of the stealer advertised in the web panel remain very basic and amateurish, with only the third-party Chrome decryptor payload being somewhat hidden”.

However, the threat remains active and evolving. To stay safe this season, users are advised to “avoid running any kind of unverified code from sources such as pirated software, videogame cheats, unverified plugins, and extensions”.

Related Posts:

• StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader
• SoraAI.lnk: Beware of This New Info-Stealer Hiding as OpenAI’s Sora
• 0bj3ctivityStealer: Stealthy Info-Stealer Uses Steganography & PowerShell to Evade Detection
• LummaStealer Expands Attack Surface with Fake Booking Sites and CAPTCHA Tricks
• GLOBAL GROUP: New Ransomware Giant Emerges with AI Negotiators, Affiliate Incentives, and Industrial-Scale Attacks