SantaStealer

According to Rapid7, this malware collects and exfiltrates sensitive documents, credentials, wallets, and data from a broad range of applications, and aims to operate entirely in-memory to avoid file-based detection. Stolen data is then compressed, split into 10 MB chunks, and sent to a C2 server over unencrypted HTTP.

C2 Infrastructure

Hosting/VPS100%

Last 7 days

Apr 19, 2026

C2 Hosts: 3

Apr 18, 2026

C2 Hosts: 2

Apr 17, 2026

C2 Hosts: 2

Apr 16, 2026

C2 Hosts: 6

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Apr 19, 2026	3
Apr 18, 2026	2
Apr 17, 2026	2
Apr 16, 2026	6

Further Reading

SantaStealer is Coming to Town: A New, Ambitious Infostealer Advertised on Underground Forums | Rapid7 Blog

Rapid7 Website