SantaStealer is now targeting crypto wallets - Coinfea

Coinfea · 2025-12-21T13:08:53+00:00

Researchers have identified SantaStealer, a malware targeting crypto wallets by extracting private data. A rebrand of BluelineStealer, it is offered on Telegram as a subscription service, boasting features like VPN bypass and comprehensive data theft capabilities, although its effectiveness is questioned.

Coinfea

2025-12-21 13:08:53

Abstract generation in progress

Researchers have revealed that a new malware, SantaStealer, is now targeting crypto wallets. The malware-as-a-service (MaaS) extracts private data linked to any type of crypto.

Researchers at Rapid7 say that SantaStealer is a rebrand of another infostealer called BluelineStealer. The developer of SantaStealer is rumored to be preparing a wider launch before the year ends. At the moment, the malware is advertised on Telegram and hacker forums, and offered as a subscription service. Basic access costs $175 per month, while Premium access is more expensive and costs $300. The SantaStealer malware developers claim enterprise-level capability with antivirus bypasses and corporate network access.

SantaStealer now steals private data from wallets

SantaStealer basically focuses on crypto wallets, with the malware targeting crypto wallet apps like Exodus and browser extensions like MetaMask. It is designed to extract private data linked to digital assets. The malware doesn’t stop there, as it also steals browser data, including passwords, cookies, browsing history, and saved credit card information.

Messaging platforms such as Telegram and Discord are targeted as well. Steam data and local documents are included. The malware can also capture desktop screenshots. To do this, it drops or loads an embedded executable. That executable decrypts and injects code into the browser. This allows access to protected keys. SantaStealer also runs many data collection modules simultaneously.

Each module operates in its own thread. Stolen data is written to memory, compressed into ZIP files, and exfiltrated in 10MB chunks. The data is sent to a hardcoded command-and-control server over port 6767. To reach wallet data stored in browsers, the malware bypasses Chrome’s App-Bound Encryption, which was introduced in July of 2024. According to Rapid7, multiple info-stealers have already defeated it.

The malware is marketed as advanced, with total evasion. But Rapid7 security researchers say the malware does not match those claims. Current samples are easy to analyze, and they expose symbols and readable strings. This suggests rushed development and weak operational security. “The anti-analysis and stealth capabilities of the stealer advertised in the web panel remain very basic and amateurish, with only the third-party Chrome decryptor payload being somewhat hidden,” wrote Milan Spinka from Rapid7.

The affiliate panel of SantaStealer is polished. Operators can customize builds, and they can steal everything or focus only on wallet and browser data. The options also allow operators to exclude the Commonwealth of Independent States (CIS) region and delay execution. SantaStealer has not yet spread on a large scale, and its delivery method remains unclear. Recent campaigns favor ClickFix attacks since victims are tricked into pasting malicious commands into Windows terminals.

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.