Rapid7 Labs has identified a new information-stealing malware called SantaStealer, currently being promoted on Telegram and underground forums. Initially known as BluelineStealer, this malware is designed to gather sensitive data, including documents, credentials, and cryptocurrency wallets, while operating entirely in memory to evade detection. The malware sends stolen data to a command-and-control (C2) server via unencrypted HTTP in 10 MB chunks. Despite claims of being "fully undetected," samples of SantaStealer have already been found, revealing its inner workings and suggesting the developers' operational security is lacking. The malware is distributed as a Windows DLL, which includes over 500 exported symbols that hint at its functionality. Interestingly, the configuration for the stealer includes options for buyers to avoid targeting victims in Russian-speaking countries, indicating the operators are likely Russian. The pricing model for SantaStealer includes a basic version at $175 per month and a premium version at $300. The developers boast about anti-analysis techniques and deployment in complex environments, but the actual samples analyzed show vulnerabilities that could undermine these claims. The analysis of SantaStealer reveals that its configuration and C2 server details are embedded in plain text, making detection easier for analysts. The malware includes functionality to check for virtual machines and can alter its behavior based on the user’s location. If a Russian keyboard layout is detected, it stops execution. The presence of hardcoded strings and clear naming conventions exposes its processes, suggesting that while the malware may evolve, its current state is far from sophisticated.