SantaStealer Malware Targets Crypto Wallets and Browsers: The Holiday Heist No One Wanted
Your crypto isn't safe—even from Saint Nick. A new strain of malware, dubbed 'SantaStealer,' is making the rounds, and it's got a very specific wishlist: your digital assets and browser data.
How the Heist Works
Forget chimney entries. This malware bypasses traditional defenses, slipping onto systems through phishing lures or compromised software. Once inside, it cuts a direct path to where the valuables are stored.
The Target List
The software doesn't discriminate. It systematically scans for and extracts data from a wide range of cryptocurrency wallet extensions and applications. Browser cookies, saved passwords, and session data are all scooped up in the same sweep—handing attackers the keys to both your digital vault and your online identity.
Why This One Stings
It's a stark reminder that security is a full-time job, even during the holidays. The tools for self-custody come with the ultimate responsibility: there's no fraud department to call when your seed phrase gets stolen. In the high-stakes world of crypto, sometimes the biggest risk isn't market volatility—it's forgetting to check who's really coming down your digital chimney. Just another day where the 'security' in 'financial security' feels like the weakest link.
SantaStealer targets crypto wallets
Crypto wallets are the main focus of SantaStealer. The malware targets crypto wallet apps like Exodus and browser extensions like MetaMask. It is designed to extract private data linked to digital assets.
The malware doesn’t stop there. It also steals browser data, including passwords, cookies, browsing history, and saved credit card information. Messaging platforms such as Telegram and Discord are targeted as well. Steam data and local documents are included. The malware can also capture desktop screenshots.
To do this, it drops or loads an embedded executable. That executable decrypts and injects code into the browser. This allows access to protected keys.
SantaStealer runs many data collection modules simultaneously. Each module operates in its own thread. Stolen data is written to memory, compressed into ZIP files, and exfiltrated in 10MB chunks. The data is sent to a hardcoded command-and-control server over port 6767.
To reach wallet data stored in browsers, the malware bypasses Chrome’s App-Bound Encryption, which was introduced in July of 2024. According to Rapid7, multiple info-stealers have already defeated it.
The malware is marketed as advanced, with total evasion. But Rapid7 security researchers say the malware does not match those claims. Current samples are easy to analyze, and they expose symbols and readable strings. This suggests rushed development and weak operational security.
“The anti-analysis and stealth capabilities of the stealer advertised in the web panel remain very basic and amateurish, with only the third-party Chrome decryptor payload being somewhat hidden,” wrote Milan Spinka from Rapid7.
The affiliate panel of SantaStealer is polished. Operators can customize builds, and they can steal everything or focus only on wallet and browser data. The options also allow operators to exclude the Commonwealth of Independent States (CIS) region and delay execution.
SantaStealer has not yet spread on a large scale, and its delivery method remains unclear. Recent campaigns favor ClickFix attacks since victims are tricked into pasting malicious commands into Windows terminals.
According to the researchers, other malware delivery paths remain common. These include phishing emails, pirated software, torrents, malvertising, and deceptive YouTube comments.
Security researchers advise crypto users to stay alert and avoid unknown links and attachments.
Spinka wrote, “Avoid running any kind of unverified code from sources such as pirated software, videogame cheats, unverified plugins, and extensions.”
Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.
