A new malware-as-a-service infostealer called SantaStealer has been released and is being offered for sale on Telegram and underground cybercrime forums. Security researchers have identified the tool as a rebranded successor to an earlier project known as BluelineStealer. The developers are promoting the malware to cybercriminals ahead of the end of 2025, offering subscription-style access and lifetime licences.
SantaStealer is designed to run on Windows systems from version 7 through 11 and operate largely in memory to evade traditional file-based detection by antivirus and endpoint protection tools. The tool is advertised by its developers as capable of harvesting a broad range of sensitive information by exfiltrating stolen data to command-and-control servers. Researchers and analysts said this type of threat reflects the evolution of the malware ecosystem toward a commercial model that lowers barriers to entry for attackers.
Rapid7 Labs, a cybersecurity research organization, said malware operators initially observed the project as still in development, but that it was recently declared production-ready and officially released. Operators are using Telegram channels and Russian-language underground forums to attract affiliates and buyers interested in using the tool for their own operations. The use of such messaging platforms for distribution continues a trend in which threat actors leverage readily accessible social apps to promote and sell illicit tools.
The SantaStealer offering includes multiple pricing tiers that resemble legitimate software subscription models. Basic access is advertised at around USD 175 per month, with a premium subscription priced at about USD 300 per month, and a lifetime licence available for approximately USD 1,000. These prices include access to a web panel that allows customers to configure the malware’s behaviour and manage stolen data collection.
Researchers said SantaStealer’s features enable modular data collection, with separate components targeting browser credentials, documents and cryptocurrency wallets. In addition to harvesting passwords and cookies from popular browsers, the malware can collect data from messaging applications, gaming platforms and other locally stored information on infected machines. The collected files are compressed and sent to remote servers in chunks to facilitate exfiltration.
Although the operators claim advanced evasion and anti-analysis capabilities, early samples analyzed by Rapid7 contained unencrypted strings and export symbols that make them easier for defenders to analyze. Security specialists said this suggests that, despite bold marketing claims, the malware may not yet have sophisticated stealth features that are typical of more mature threats.
SantaStealer’s development highlights a broader shift in cybercrime toward professionalized malware services that blend traditional hacking tools with commercial distribution and pricing models. Infostealers distributed under a malware-as-a-service model allow less experienced attackers to purchase ready-made tools rather than develop their own, increasing the volume of potential attacks.
Cybersecurity advisers recommend that organizations and individuals exercise caution with unverified code and avoid running software from untrusted sources. Users should scrutinize links and attachments in emails, avoid downloading unauthorized applications and maintain up-to-date security protections to reduce the risk of compromise by threats such as SantaStealer.