The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SantaStealer

Dec 23, 2025 12:13:07 PM / by The Hivemind

SANTASTEALERVerticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: BluelineStealer, ChromElevator

Executive Summary

SantaStealer is a new information stealer actively marketed on Telegram channels and underground forums, with a planned release before the end of 2025. Analysis of leaked samples reveals a discrepancy between the operators' bold claims of advanced evasion and the malware's current rudimentary implementation.

Key Takeaways

  • Leaked unobfuscated SantaStealer samples, including DLLs with descriptive exported symbols and plain text strings, expose significant operational security lapses despite advertisements of full undetectability and a custom polymorphic engine.
  • The malware, written in C, incorporates statically linked libraries such as cJSON for JSON parsing, miniz for compression, and sqlite3 for database interactions.
  • Key functionalities include in-memory data collection from browsers, applications like Telegram and Discord, screenshots, and documents, followed by ZIP compression and exfiltration in chunks over plain HTTP.
  • Anti-analysis measures remain basic, with variations across samples involving process blacklists, uptime checks, or service queries, while an optional CIS country exclusion relies on keyboard layout detection.

What is SantaStealer?

Researchers at Rapid7 Labs detected initial samples of SantaStealer in early December 2025, triggering generic infostealer alerts similar to those associated with Raccoon variants. These samples manifested as 64-bit Windows DLLs featuring hundreds of exported functions with revealing names like "payload_main" and "check_antivm," alongside unencrypted strings indicating credential harvesting intent. The unintended exposure of symbols from statically linked components facilitated rapid identification of dependencies.

Promotion occurs primarily through a dedicated Telegram channel and a Russian-language forum, with an affiliate panel offering build customization, pricing at $175 monthly for basic access or $300 for premium features, and purported antivirus bypasses. Indicators such as the panel's .su domain and configurable avoidance of Russian-speaking systems suggest operators of likely Russian origin, a common trait in the infostealer ecosystem.

Technical examination of executable and DLL builds demonstrates a modular, multi-threaded architecture. Execution commences with configuration checks, including delayed starts and optional termination upon detecting CIS-region indicators via keyboard layouts. Anti-virtual machine routines vary but generally involve straightforward queries for blacklisted processes, directories, or services.

Credential theft targets Chromium-based browsers through an embedded executable that decrypts and reflectively loads a DLL employing direct syscalls to inject into legitimate processes, enabling access to protected data. Additional modules handle environment variables, screenshots, document grabs, and targeted exfiltration from specific applications. Collected data aggregates in-memory before compression into a ZIP archive, split into 10 MB segments, and uploaded via unencrypted HTTP POST requests to a hard-coded C2 endpoint. Headers include unique identifiers and campaign tags.

Although operators tout fileless operations and sophisticated defenses, current SantaStealer samples exhibit limited stealth, with plain text configurations and C2 details readily extractable. The shift toward in-memory execution represents progress, yet overall capabilities appear underdeveloped compared to established competitors. PolySwarm analysts consider SantaStealer to be an emerging threat.

IOCs

PolySwarm has multiple samples of SantaStealer.

 

1a277cba1676478bf3d47bec97edaa14f83f50bdd11e2a15d9e0936ed243fd64

abbb76a7000de1df7f95eef806356030b6a8576526e0e938e36f71b238580704

5db376a328476e670aeefb93af8969206ca6ba8cf0877fd99319fa5d5db175ca

a8daf444c78f17b4a8e42896d6cb085e4faad12d1c1ae7d0e79757e6772bddb9

5c51de7c7a1ec4126344c66c70b71434f6c6710ce1e6d160a668154d461275ac

48540f12275f1ed277e768058907eb70cc88e3f98d055d9d73bf30aa15310ef3

99fd0c8746d5cce65650328219783c6c6e68e212bf1af6ea5975f4a99d885e59

ad8777161d4794281c2cc652ecb805d3e6a9887798877c6aa4babfd0ecb631d2

73e02706ba90357aeeb4fdcbdb3f1c616801ca1affed0a059728119bd11121a4

e04936b97ed30e4045d67917b331eb56a4b2111534648adcabc4475f98456727

66fef499efea41ac31ea93265c04f3b87041a6ae3cd14cd502b02da8cc77cca8

4edc178549442dae3ad95f1379b7433945e5499859fdbfd571820d7e5cf5033c

926a6a4ba8402c3dd9c33ceff50ac957910775b2969505d36ee1a6db7a9e0c87

9b017fb1446cdc76f040406803e639b97658b987601970125826960e94e9a1a6

f81f710f5968fea399551a1fb7a13fad48b005f3c9ba2ea419d14b597401838c

 

Click here to view all samples of SantaStealer in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Infostealer, Malware-As-A-Service, Emerging Threat, Windows Malware, credential theft, information stealer, C language malware, SantaStealer

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More