SantaStealer is the latest malware-as-a-service (MaaS) for Windows that would-be cybercriminals can rent to wreak havoc over Xmas – well, any time really.
Rapid7 has exposed that SantaStealer for Windows is advertised as a subscription model, with tiers priced at approximately US$175 per month (Basic) and $300 per month (Premium). The malware includes 14 distinct data-collection modules, each operating independently to harvest sensitive information. Collected data is written to memory, compressed into ZIP archives, and exfiltrated in 10MB chunks to a hard-coded command-and-control (C2) endpoint over port 6767.
Targeted data includes browser-stored credentials, cookies, browsing history, saved payment details, messaging applications such as Telegram and Discord, gaming platforms including Steam, cryptocurrency wallets and extensions, local documents, and desktop screenshots. The malware also embeds an executable designed to bypass Chrome’s App-Bound Encryption protections introduced in mid-2024, a technique increasingly observed in modern information stealers.
In simple English, it evades anti-malware detection, fools browser-based detection and uploads whatever data the cybercriminal wants.
How do you avoid SantaStealer?
As Rapid7 just released the information (17/12/25), delivery mechanisms are not fully defined.
While SantaStealer claims it evades AV and Malware detection, you can bet Trend Micro and Norton are well advanced in detecting it. But don’t rely on that until they advise us.
As it’s only for Windows at present, use Mac or Android for financial web transactions. Definitely remove all browser-based passwords and form fillers.
Rapid7 says delivery is most likely via:
- Phishing emails are most likely to be used to get you to click on a poisoned link (Read Cyberscriminals fly high on air miles, hotel loyalty points and fake points websites).
- The old Microsoft Support Scam to trick users into allowing a support person to link to your PC
- Running unverified code from sources such as pirated software, video game cheats, unverified plugins, and extensions.
The best defence is a layered one – paid Antivirus/malware, phishing protection, locking down users’ privileges, removing browser autofill and passwords, and prohibit running any new software (lower privileges).
CyberShack’s view: SantaStealer for Windows is just the start
SantaStealer is the latest iteration of ‘stealer’ malware. But it’s now pre-packaged for MaaS, and any two-bit, would-be cybercriminal can rent it and use their target lists.
Windows with 75% of the desktop market is the first target. It won’t be long before versions are released for Mac, iOS, Android and more.
Every day, I get dozens of phishing emails, and Outlook (Paid version) is doing a reasonable job of junking them.
But beware the new Outlook meeting scam. It uses fake calendar invites, often with urgent titles like “Account Suspended,” to trick you into clicking malicious links or downloading attachments, exploiting Outlook’s default setting to auto-add events. To stop them, never interact (don’t click, accept, or decline) with suspicious invites; instead, delete them, report them as phishing/junk, and change your settings to prevent automatic adding of invites, as these confirm your email is active.
Comments