Date: 12/23/2025
Severity: High
Summary
SantaStealer is a newly emerging malware-as-a-service infostealer promoted on Telegram and underground forums, with a planned release before the end of 2025. Recently rebranded from BluelineStealer, it is designed to steal credentials, documents, wallets, and application data while operating entirely in memory to evade detection. Although marketed as a highly advanced, fully undetected C-based stealer, available samples show limited obfuscation, allowing researchers to assess its actual capabilities and sophistication.
Indicators of Compromise (IOC) List
IP Address | 31.57.38.244 80.76.49.114 |
Hash | 1a277cba1676478bf3d47bec97edaa14f83f50bdd11e2a15d9e0936ed243fd64
abbb76a7000de1df7f95eef806356030b6a8576526e0e938e36f71b238580704
5db376a328476e670aeefb93af8969206ca6ba8cf0877fd99319fa5d5db175ca
a8daf444c78f17b4a8e42896d6cb085e4faad12d1c1ae7d0e79757e6772bddb9
5c51de7c7a1ec4126344c66c70b71434f6c6710ce1e6d160a668154d461275ac
48540f12275f1ed277e768058907eb70cc88e3f98d055d9d73bf30aa15310ef3
99fd0c8746d5cce65650328219783c6c6e68e212bf1af6ea5975f4a99d885e59
ad8777161d4794281c2cc652ecb805d3e6a9887798877c6aa4babfd0ecb631d2
73e02706ba90357aeeb4fdcbdb3f1c616801ca1affed0a059728119bd11121a4
e04936b97ed30e4045d67917b331eb56a4b2111534648adcabc4475f98456727
66fef499efea41ac31ea93265c04f3b87041a6ae3cd14cd502b02da8cc77cca8
4edc178549442dae3ad95f1379b7433945e5499859fdbfd571820d7e5cf5033c
926a6a4ba8402c3dd9c33ceff50ac957910775b2969505d36ee1a6db7a9e0c87
9b017fb1446cdc76f040406803e639b97658b987601970125826960e94e9a1a6
f81f710f5968fea399551a1fb7a13fad48b005f3c9ba2ea419d14b597401838c
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("31.57.38.244","80.76.49.114") or srcipaddress IN ("31.57.38.244","80.76.49.114") |
Detection Query 2 : | sha256hash IN ("1a277cba1676478bf3d47bec97edaa14f83f50bdd11e2a15d9e0936ed243fd64","e04936b97ed30e4045d67917b331eb56a4b2111534648adcabc4475f98456727","f81f710f5968fea399551a1fb7a13fad48b005f3c9ba2ea419d14b597401838c","4edc178549442dae3ad95f1379b7433945e5499859fdbfd571820d7e5cf5033c","48540f12275f1ed277e768058907eb70cc88e3f98d055d9d73bf30aa15310ef3","5db376a328476e670aeefb93af8969206ca6ba8cf0877fd99319fa5d5db175ca","66fef499efea41ac31ea93265c04f3b87041a6ae3cd14cd502b02da8cc77cca8","99fd0c8746d5cce65650328219783c6c6e68e212bf1af6ea5975f4a99d885e59","abbb76a7000de1df7f95eef806356030b6a8576526e0e938e36f71b238580704","926a6a4ba8402c3dd9c33ceff50ac957910775b2969505d36ee1a6db7a9e0c87","a8daf444c78f17b4a8e42896d6cb085e4faad12d1c1ae7d0e79757e6772bddb9","5c51de7c7a1ec4126344c66c70b71434f6c6710ce1e6d160a668154d461275ac",""ad8777161d4794281c2cc652ecb805d3e6a9887798877c6aa4babfd0ecb631d2","73e02706ba90357aeeb4fdcbdb3f1c616801ca1affed0a059728119bd11121a4","9b017fb1446cdc76f040406803e639b97658b987601970125826960e94e9a1a6")
|
Reference:
https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/