A new malware-as-a-service (MaaS) info-stealer, SantaStealer, is actively promoted on Telegram and underground forums, with operators reportedly beginning its release ahead of year-end 2025. Read this Cybersecurity Threat Advisory to learn how to reduce your risk from this emerging threat.
What is the threat?
SantaStealer is a Windows-focused, modular infostealer offered under subscription tiers ($175 Basic / $300 Premium). It claims in-memory execution to evade file-based detection and includes 14 parallel data-collection modules targeting browser data (passwords, cookies, history, saved cards), crypto wallets, Telegram, Discord, Steam, local documents, and screenshots. Collected data is stored in memory, compressed into ZIP files, and exfiltrated in 10MB chunks to a hardcoded C2 over port 6767 via unencrypted HTTP.
This malware affects Microsoft Windows, Chromium-based browsers (Chrome, Edge, Brave), browser-stored credit cards and autofill data, crypto wallet apps/extensions (Exodus, MetaMask), and Telegram Desktop, Discord, and Steam. It uses an embedded executable to bypass Chrome App-Bound Encryption (ABE), introduced in 2024, and employs ChromeElevator-style techniques seen in other stealers.
Why is it noteworthy?
SantaStealer stands out because it lowers the barrier to entry for cybercriminals through affordable MaaS subscription plans ($175–$300), a polished affiliate panel, and Telegram-based distribution. Its modular design enables broad data theft—credentials, cookies, crypto assets, PII, and app tokens—fueling account takeover and financial fraud. While current anti-analysis measures appear basic, its in-memory execution and Chrome ABE bypass raise detection complexity and could evolve post-release. Rapid7’s observation of a Telegram release announcement signals imminent operationalization, making this threat both accessible and impactful.
What is the exposure or risk?
This new MaaS poses significant risks to both organizations and consumers, including credential and session theft across browsers and apps, enabling account takeover, business email compromise (BEC), and fraud. Premium features add crypto wallet targeting and clipper functionality, leading to direct financial loss. The malware also exfiltrates sensitive documents and screenshots, creating privacy, IP, and compliance exposure. Its in-memory execution and unencrypted HTTP exfiltration over port 6767 complicate detection, while distribution vectors—phishing, malvertising, pirated software, deceptive YouTube comments, and ClickFix tactics—broaden the attack surface.
What are the recommendations?
Barracuda recommends the following actions to secure your systems against this threat:
- Block and monitor outbound HTTP traffic to unknown hosts, especially on port 6767; alert on 10MB chunked ZIP-like transfers and unusual plaintext exfiltration patterns.
- Hunt for indicators tied to SantaStealer modules, such as sudden access to browser SQLite databases, credential vaults, screenshot capture APIs, and Telegram/Discord tokens.
- Harden endpoint protection policies to block known/suspicious/PUP files and delay execution for cloud reputation checks.
- Minimize saved passwords and credit cards in browsers.
- Review Chrome/Edge enterprise policies to control local secret storage and extension trust.
- Enforce multifactor authentication (MFA) everywhere, along with device posture checks, conditional access, and session revocation for suspected compromises.
- Monitor for suspicious OAuth/refresh token activity on Telegram, Discord, and Steam-linked identities.
- Ban pirated software/torrents and unverified plugins or cheats.
- Educate end-users on holiday-season phishing campaigns and ClickFix social engineering tactics.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/new-santastealer-malware-steals-data-from-browsers-crypto-wallets/
- https://cybernews.com/cybercrime/santa-stealer-malware-released-in-wild-for-sale-telegram/
- https://cyberpress.org/new-malware-campaign/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.