A Russian-speaking developer is currently promoting SantaStealer through a subscription model, offering a basic package for 175 dollars and a premium version for 300 dollars per month. The operation appears to be a rebranding of a previous malware project known as BluelineStealer. Researchers from Rapid7 have been tracking the project as the developer attempts to scale up operations and attract affiliates before a scheduled full-scale launch at the end of the year.
While the malware is advertised as operating entirely in memory to bypass traditional file-based antivirus detection, technical analysis suggests these claims are largely exaggerated. Researchers who examined several samples found that the malware is actually quite easy to detect and analyze in its current state. The developer has made several amateur mistakes, such as leaking samples that contain unencrypted strings and symbol names, which significantly simplifies the work for security professionals trying to block it.
The investigation into the malware’s infrastructure allowed researchers to gain access to the affiliate web panel used by customers. This dashboard is designed with a user-friendly interface that allows cybercriminals to customize their attacks. Users can choose between a comprehensive data theft configuration or more targeted, lean payloads that focus on specific types of sensitive information depending on their goals.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
The premature exposure of the malware’s source code and functional samples suggests a significant lack of operational security on the part of the developer. Rapid7 noted that while the creator may still be working on the promised anti-analysis features, the current versions are far from the “undetectable” status promised in the marketing materials. These errors have likely undermined much of the effort put into the rebranding and development of the tool.
Despite these technical shortcomings and poor security practices, SantaStealer remains a threat due to its accessibility to low-level cybercriminals. The malware includes multiple mechanisms for stealing user data, and the subscription model makes it easy for anyone with a small budget to launch an information-stealing campaign. As the developer continues to refine the project for its year-end release, security teams are advised to monitor for indicators of compromise associated with this evolving threat.
Source: New SantaStealer Malware Steals Data From Browsers And Crypto Wallets
Intresting that the dev leaked unencrypted strings and symbols before launch. The subscription model for malware-as-a-service keeps lowering the bar for entry-level attackers tho, even if this particular build is sloppy. Once saw a whole infostealer panel get pwned becuase the admin panel was literaly using default creds, so OpSec failures go both ways I guess lol.