SantaStealer is a new information-stealing malware that targets crypto wallets. The malware-as-a-service (MaaS) extracts private data linked to any type of crypto.

Researchers at Rapid7 say that SantaStealer is a rebrand of another infostealer called BluelineStealer. The developer of SantaStealer is rumored to be preparing a wider launch before the year ends.

At the moment, the malware is advertised on Telegram and hacker forums, and offered as a subscription service. Basic access costs $175 per month, while Premium access is more expensive and costs $300.

The SantaStealer malware developers claim enterprise-level capability with antivirus bypasses and corporate network access.

SantaStealer targets crypto wallets

Crypto wallets are the main focus of SantaStealer. The malware targets crypto wallet apps like Exodus and browser extensions like MetaMask. It is designed to extract private data linked to digital assets.

The malware doesn’t stop there. It also steals browser data, including passwords, cookies, browsing history, and saved credit card information. Messaging platforms such as Telegram and Discord are targeted as well. Steam data and local documents are included. The malware can also capture desktop screenshots.

To do this, it drops or loads an embedded executable. That executable decrypts and injects code into the browser. This allows access to protected keys.

SantaStealer runs many data collection modules simultaneously. Each module operates in its own thread. Stolen data is written to memory, compressed into ZIP files, and exfiltrated in 10MB chunks. The data is sent to a hardcoded command-and-control server over port 6767.

To reach wallet data stored in browsers, the malware bypasses Chrome’s App-Bound Encryption, which was introduced in July of 2024. According to Rapid7, multiple info-stealers have already defeated it.

The malware is marketed as advanced, with total evasion. But Rapid7 security researchers say the malware does not match those claims. Current samples are easy to analyze, and they expose symbols and readable strings. This suggests rushed development and weak operational security.

“The anti-analysis and stealth capabilities of the stealer advertised in the web panel remain very basic and amateurish, with only the third-party Chrome decryptor payload being somewhat hidden,” wrote Milan Spinka from Rapid7.

The affiliate panel of SantaStealer is polished. Operators can customize builds, and they can steal everything or focus only on wallet and browser data. The options also allow operators to exclude the Commonwealth of Independent States (CIS) region and delay execution.

SantaStealer has not yet spread on a large scale, and its delivery method remains unclear. Recent campaigns favor ClickFix attacks since victims are tricked into pasting malicious commands into Windows terminals.

According to the researchers, other malware delivery paths remain common. These include phishing emails, pirated software, torrents, malvertising, and deceptive YouTube comments.

Security researchers advise crypto users to stay alert and avoid unknown links and attachments.

Spinka wrote, “Avoid running any kind of unverified code from sources such as pirated software, videogame cheats, unverified plugins, and extensions.”

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.