A brief look at all things infostealers for the week 5, 2026 (26.01.2026 –01.02.2026). Updates in AURA, Santa, The Void stealers. Grabbed some numbers from marketplaces and few interesting news/articles for you to read.
Infostealer Updates
AURA Stealer
Minor update
Build updated: v1.6.0
- Improved decryption of the latest versions of Chromium-based browsers (144+). The latest updates are perfectly decrypted by AURA.
- Different versions of Chrome (before 143 / after 144) are now decrypted with different elevators, and the method is selected dynamically for compatibility with different versions.
- Additional language and geo checks have been added to the previous CIS checks.
- Fixed a bug with compile-time hashing of winapi names, which caused some strings to remain in the binary.
Screenshot taken from XSS forum
SantaStealer
SantaStealer Update!
• 10 New Features · 5 Improvements · 6 Bug Fixes – (Only notable updates included)
——— NEW FEATURES ———
1.1 – Added option to have log details sent to Telegram, supporting 12 values ({cookies}, {passwords}, {hwid} etc)
1.2 – Added ability to archive logs
1.3 – Added ‘Unique Passwords’ & ‘Unique Domains’ columns to the Logs tab on the Web Panel
1.4 – Added option to view traffic statistics for other time periods instead of only one month
1.5 – Added plan expiration date to ‘Account’ tab
1.6 – Added configuration options to ‘Browser History Extractor’ module, you can now select the data it should take (History, Bookmarks, Autofills, Download History, Clipboard)
1.7 – Added option to send screenshot of infected machines to Telegram (From screen.png)
1.8 – Added option to create ‘Domain Lists’, you can view important domains a log has
1.9 – Added option to filter logs by ‘Passwords Count’, ‘Domains Count’ & ‘Installed Browsers’
2.1 – Google refresh tokens are now taken from browsers, saved to /<browser>/<profile>/Tokens.json
——— IMRPVEMENTS ———
3.1 – Made Telegram log notifications optional
3.2 – Passwords are now stored in Passwords.txt instead of Passwords.json. Now stored as Host: \n Login: \n Password: \n\n
3.3 – You can now select multiple entries for filtering logs by County, Watermark, Installed applications, Installed wallet & Log tags
3.4 – Improved data collection speed, log weight & compilation speed
3.5 – Date column on the Logs tab now displays the exact time the log came through instead of just YYYY/DD/MM
——— FIXES ———
3.1 – Updated chrome ABE cookie/password decryptor to support chromes new IElevator2 interface in chrome version 144
3.2 – Fixed Opera/OperaGX cookies having 32 bytes of random data appended before each cookie value
3.3 – Fixed bulk log download downloading an empty ZIP archive
3.4 – Fixed some browsers closing when taking cookies (Yandex, Opera, Opera GX), all browsers now stay open
3.5 – Fixed issue with Screenshot.bmp being HUGE and changed it to Screen.png
3.6 – Fixed some Passwords.txt files missing blank lines between each HOST\LOGIN\PASS
— Look out for impersonators! Double check you are dealing with the real support: @SantaStealerSupport
— Have any feature requests? Send them to @SantaStealerSupport & we will work on implementing them.
— Access the Santa Stealer WebPanel via stealer[.]su – generate an account and purchase a plan in less then 1 minute
Screenshot from SantaStealer’s Telegram channel
The Void Stealer
Update 1.3
All working strings are now additionally encrypted using RC4
Software Cleanup
API functionality has been expanded; the following functions are currently available:
- Create a build
- Get log information
- Download log
- Search logs by parameters (software, only crypto, not dummy, country, tag, etc.)
- Search logs by queries (domains in cookies, passwords)
The price remains the same: 80 per week, 250 per month.
Screenshot from XSS forum
Marketplace Updates
This section provides some numbers taken from the marketplaces, which include numbers of victims based on stealers, top 5 countries, the victim numbers in the countries of the Nordic region. In addition, see the CryptPad spreadsheet for more meaningless numbers.
Marketplace Updates Spreadsheet 2026
The below spreadsheet contains meaningless numbers taken in 2025:
Marketplace Updates Spreadsheet 2025
Russian Market
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| Lumma | 7,011,060 |
| Vidar | 986,782 |
| Acreed | 848,673 |
| StealC | 806,300 |
| Rhadamanthys | 561,088 |
| RedLine | 192,103 |
| RisePro | 145,522 |
| Raccoon | 5,072 |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | 1,222,338 |
| Brazil | 758,632 |
| Indonesia | 574,587 |
| Egypt | 492,004 |
| Pakistan | 419,811 |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | 23,627 |
| Denmark | 12,943 |
| Norway | 10,622 |
| Finland | 8,721 |
| Iceland | 1,155 |
| Greenland | 158 |
| Faroe | 111 |
| Åland | 24 |
Exodus Market
The marketplace was down, therefore no updates from the ExodusMarket.
Stealers by number of victims
| Stealer name | Number of victims |
|---|---|
| StealC | – |
| Vidar | – |
| Lumma | – |
| Rhadamanthys | – |
| RedLine | – |
Top 5 countries by number of victims
| Country | Number of victims |
|---|---|
| India | – |
| Brazil | – |
| Turkey | – |
| USA | – |
| Bangladesh | – |
Nordic region countries
| Country | Number of victims |
|---|---|
| Sweden | – |
| Denmark | – |
| Norway | – |
| Finland | – |
| Iceland | – |
Articles/News
HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns
- https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/
Novel Fake CAPTCHA Chain Delivering Amatera Stealer
- https://blackpointcyber.com/blog/novel-fake-captcha-chain-delivering-amatera-stealer/