Cybercriminals have launched a new infostealer named 'Storm' that bypasses modern endpoint security by moving the decryption process from the victim's device to a remote server.
First appearing on underground forums in early 2026, the malware operates on a subscription model costing less than $1,000 per month. It targets browser credentials, session cookies, and cryptocurrency wallets.
Unlike previous generations of stealers that attempted to decrypt data locally using SQLite libraries, Storm ships encrypted files directly to the attacker's infrastructure. This shift avoids the telemetry that security tools typically use to detect unauthorized access to browser credential stores.
Automated session hijacking
Storm provides a built-in feature to automate the restoration of hijacked sessions. By combining a stolen Google Refresh Token with a geographically matched SOCKS5 proxy, the malware's control panel can silently re-authenticate as the victim.
This capability allows attackers to access SaaS platforms, cloud environments, and internal corporate tools without ever needing to bypass multi-factor authentication (MFA) via a password.
Varonis Threat Labs researchers noted that this technique mirrors previous 'Cookie-Bite' attacks, where stolen Azure Entra ID session cookies rendered MFA ineffective. However, Storm productizes this method as a subscription service.
Beyond browser data, the malware harvests documents from user directories and extracts session data from messaging apps including Telegram, Signal, and Discord. It also captures screenshots and system information across multiple monitors.
To evade law enforcement, Storm operators use their own virtual private servers (VPS) to route stolen data. This ensures that any incoming abuse reports or takedown attempts hit the operator's individual node rather than the central command-and-control server.
