DigiCert’s Open-Source Intelligence (OSINT) Report – December 12 – December 18, 2025

New SantaStealer Malware Steals Data from Browsers and Crypto Wallets

(TLP: CLEAR) SantaStealer is a newly identified malware-as-a-service (MaaS) information stealer being promoted on underground Telegram channels and hacker forums ahead of its planned launch before the end of 2025. It is widely considered a rebrand of an earlier project called BluelineStealer, and is advertised with the claim that it operates primarily in-memory to evade file-based detection; however, security researchers from Rapid7 noted that early leaked samples lack many of the stealth and anti-analysis protections touted by its developers, featuring unencrypted strings and symbol names that make analysis easier than advertised. 

SantaStealer is offered under subscription pricing (e.g., Basic at $175/month and Premium at $300/month) and features a modular architecture comprising 14 separate data-collection modules, each running in its own thread. These modules target a broad range of sensitive information, including web browser data (such as saved passwords, cookies, browsing history, and stored credit cards), account credentials from messaging and gaming platforms like Telegram, Discord, and Steam, cryptocurrency wallet applications and extensions, and local documents. The malware can also capture screenshots of the victim’s desktop. After harvesting data into memory, SantaStealer compresses the stolen information into ZIP archives and exfiltrates it in 10 MB chunks to a hardcoded command-and-control (C2) endpoint over port 6767.

(TLP: CLEAR) Comments: Although the malware has not yet been observed in widespread distribution, researchers caution that likely delivery mechanisms include ClickFix attacks (where users are tricked into pasting malicious commands into their Windows terminal), phishing emails, bundling with pirated software or torrent downloads, malvertising, and deceptive comments on platforms like YouTube. These common social engineering vectors, combined with SantaStealer’s intended in-memory operation and modular configuration, make it a potentially significant threat to systems that are not protected with robust memory inspection, behavioral detection, and user-awareness defenses.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious and even more so if it contains binary data.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Source: https://www.bleepingcomputer.com/news/security/new-santastealer-malware-steals-data-from-browsers-crypto-wallets/

Kimwolf Botnet Hijacks 1.8 Million Android TVs and Launches Large-Scale DDoS Attacks

(TLP: CLEAR) The Kimwolf botnet is a newly identified, large-scale distributed denial-of-service (DDoS) malware network that has compromised approximately 1.8 million Android-based devices—primarily smart TVs, set-top boxes, and tablets around the world, with significant concentrations in Brazil, India, the United States, Argentina, South Africa, and the Philippines. Researchers at QiAnXin XLab attribute Kimwolf’s growth to the reuse of code from the previously known AISURU botnet, suggesting that both strains may be operated by the same threat actor and have co-existed on the same infected devices. Kimwolf is compiled using the Android Native Development Kit (NDK) and incorporates multiple malicious modules beyond DDoS capabilities, such as proxy forwarding, reverse shell access, and file management functions, enabling comprehensive remote control of infected devices.
The malware enforces single-instance execution, decrypts embedded command-and-control (C2) domains, uses encrypted DNS-over-TLS to resolve C2 IP addresses, and employs TLS encryption for communication, supporting at least 13 DDoS methods over UDP, TCP, and ICMP.

(TLP: CLEAR) Comments: Behavioral analysis indicates most (over 96 %) of Kimwolf’s issued commands are related to proxy service provisioning, implying that monetization through traffic resale may be a primary objective, with DDoS command issuance comprising a smaller portion of its activity. Between November 19 and 22, 2025, the botnet issued an estimated 1.7 billion DDoS commands, and one of its C2 domains briefly ranked above Google in global traffic metrics, underscoring its anomalous size and activity. Overall, Kimwolf represents a sophisticated evolution in IoT-targeting botnets, combining traditional DDoS functions with advanced infrastructure evasion and monetization capabilities, exploiting insecure Android TV ecosystems as a scalable attack and abuse platform.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Source address spoofing is often combined with reflection and amplification from poorly administered open internet servers (e.g., DNS, NTP) to multiply the attack traffic volume by a factor of 50 or more. The attacker may use a single high-capacity computer with a high bandwidth internet connection or a botnet consisting of many compromised devices to send query requests to high-performance internet servers. The attacking systems employ source address spoofing, which inserts the IP address of the target as the source address in the requests. For internet services that use the User Datagram Protocol (UDP) (e.g., DNS, NTP), the query and response are each contained in a single packet, and the exchange does not require the establishment of a connection between the source and the server (unlike Transmission Control Protocol (TCP)). The responses from such open internet servers are directed to the attack target since the target’s IP address was forged as the source address field of the request messages. Often, the response from the server to the target address is much larger than the query itself, amplifying the effect of the DoS attack. Such reflection and amplification attacks can result in massive DDoS with attack volumes in the range of hundreds of Gbps.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.
Source: https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html 

New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

(TLP: CLEAR) Cybersecurity researchers have identified a new wave of phishing-as-a-service (PhaaS) kits that combine traditional credential harvesting with sophisticated techniques to bypass multi-factor authentication (MFA) and scale attacks through automation and AI-assisted features. The documented toolkits include BlackForce, GhostFrame, InboxPrime AI, and Spiderman, each offering distinct mechanisms for credential theft and evasion. BlackForce, first observed in August 2025, performs Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and other authentication tokens in real-time, enabling attackers to defeat MFA protections while impersonating trusted brands; it incorporates evasion logic such as blocklists to filter out security tooling and scanners.

GhostFrame focuses on stealth delivery by embedding phishing content within iframes, using loader scripts that randomize subdomains and resist analysis or blocking; these pages mimic legitimate login portals for services like Microsoft 365 and Google and include fallback iframes to ensure payload delivery even when defenses interfere.

InboxPrime AI advances the PhaaS model by leveraging artificial intelligence to automate mass mailing campaigns, mimicking human-like email patterns to evade filtering systems and maximize deliverability. It offers a subscription-style service with an AI-powered email generator and campaign management dashboard, lowering the operational barriers for attackers to launch high-volume phishing campaigns.
(TLP: CLEAR) Comments: The Spiderman kit specializes in highly convincing replicas of financial and banking login portals, particularly across European institutions and integrates features such as ISP allowlisting, geofencing, and targeted credential capture, including session data, photoTAN codes, and other sensitive inputs, often with mechanisms to maintain session continuity for attackers. Collectively, these kits illustrate the evolving phishing threat landscape, where AI and automation enhance scale and sophistication, MFA bypass methods like MitB and real-time interception undermine traditional security controls, and modular delivery techniques help attackers evade detection and blocking. Defenders are thus pressed to adopt more advanced anomaly detection, phishing-resistant authentication mechanisms, and continuous user awareness training to counter these emerging capabilities.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
Source: https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html