A New Chapter in Credential Theft
A previously undocumented infostealer called Storm surfaced on underground cybercrime forums in early 2026, signaling a meaningful evolution in how threat actors approach credential and session theft. For a subscription fee of under $1,000 per month, operators receive a tool capable of harvesting browser credentials, session cookies, and cryptocurrency wallets — all without performing the decryption locally on the victim's machine. Instead, every encrypted file is quietly exfiltrated to attacker-controlled infrastructure where it is decrypted server-side, stripping away the telemetry that most endpoint security products depend on to catch such attacks in progress.
Why Server-Side Decryption Matters
To appreciate the significance of this architectural shift, it helps to understand how credential theft evolved to this point. Earlier generations of infostealers would decrypt browser credentials directly on compromised machines by loading SQLite libraries and accessing credential stores in place. Endpoint detection tools became increasingly effective at flagging exactly this type of behavior, making local browser database access one of the most reliable indicators of a malicious process.
In July 2024, Google introduced App-Bound Encryption in Chrome 127, tying encryption keys to the Chrome process itself and making on-device decryption significantly harder for malware. Stealer developers initially responded by injecting code into Chrome or abusing its debugging protocol to work around the new controls, but those techniques still generated artifacts that security tools could identify.
The next logical step — and the one Storm exemplifies — was to abandon local decryption entirely. By shipping the encrypted browser database files off to attacker-controlled servers, the malware removes the on-device decryption event that most endpoint tools are tuned to detect. The victim's machine shows no suspicious SQLite activity, no unusual process injection, and no credential-store access patterns that would normally raise an alert.
What Storm Collects and How It Differs
Storm targets both Chromium and Gecko-based browsers — including Firefox, Waterfox, and Pale Moon — and processes all of them server-side. This is a notable distinction from StealC V2, which still handles Firefox locally. The breadth of data collected covers everything an attacker needs to remotely restore hijacked sessions:
- Saved passwords
- Session cookies
- Autofill data
- Google account tokens
- Credit card information
- Full browsing history
Beyond browser data, Storm also grabs documents from user directories, extracts session data from Telegram, Signal, and Discord, and targets cryptocurrency wallets via both browser extensions and desktop applications. Screenshots are captured across multiple monitors, and system information is harvested. All collection operations run in memory to further reduce the likelihood of detection.
Automated Session Hijacking via the Operator Panel
Once Storm's infrastructure has decrypted the stolen browser data, credentials and session cookies are loaded directly into the operator's control panel. What sets Storm apart from many competing stealers is that it automates the next stage of the attack rather than leaving operators to manually replay stolen logs. By feeding a Google Refresh Token alongside a geographically matched SOCKS5 proxy, the panel silently restores the victim's authenticated session without requiring a password.
This technique is the same one documented in prior research by Varonis Threat Labs. Their Cookie-Bite research demonstrated how stolen Azure Entra ID session cookies render multi-factor authentication irrelevant, granting persistent access to Microsoft 365 without any password involvement. The SessionShark analysis further showed how phishing kits intercept session tokens in real time to defeat Microsoft 365 MFA. Storm's cookie restore feature is effectively that same underlying technique commercialized and packaged as a subscription add-on.
The practical consequence for enterprises is severe. A single compromised employee browser can hand an attacker authenticated access to SaaS platforms, internal tooling, and cloud environments without ever triggering a password-based alert or MFA prompt.
Infrastructure Design and Operational Structure
Storm's infrastructure model is deliberately designed to insulate its core servers from disruption. Operators connect their own virtual private servers (VPS) to Storm's central servers, routing stolen data through infrastructure they personally control rather than a shared platform. When law enforcement or abuse reports target a node, they hit the operator's VPS first, leaving the central servers untouched.
The platform also includes team management functionality, supporting multiple workers with granular permissions covering log access, build creation, and cookie restoration. This means a single Storm license can underpin a small-scale criminal operation with divided labor and defined roles.
A domain detection feature automatically labels stolen credentials by service, with rules for Google, Facebook, Twitter/X, and cPanel visible in panel imagery, enabling operators to quickly filter and prioritize the most valuable accounts for exploitation.
Active Campaigns and Pricing Tiers
At the time of investigation by Varonis Threat Labs, Storm's logs panel contained 1,715 entries spanning victims across India, the United States, Brazil, Indonesia, Ecuador, Vietnam, and several other countries. While it is difficult to confirm from panel imagery alone whether all entries represent genuine victims or include test data, the variety of IP addresses, ISPs, and data sizes is consistent with active, real-world campaigns.
Credentials linked to Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com appear across multiple log entries — exactly the kind of data that flows into credential marketplaces fueling account takeover, fraud, and initial access for more targeted intrusions.
Storm is sold under a tiered subscription model:
- $300 for a 7-day demo
- $900/month for a standard license
- $1,800/month for a team license covering 100 operator seats and 200 builds
A separate crypter is required in addition to the subscription. Critically, deployed builds continue harvesting data even after a subscription lapses, meaning operators' stealers keep running regardless of their current license status.
Indicators of Compromise
Varonis Threat Labs has published the following indicators associated with Storm:
- Forum handle: StormStealer
- Forum ID: 221756
- Account registered: December 12, 2025
- Current version: v0.0.2.0 (Gunnar)
- Build characteristics: C++ (MSVC/msbuild), approximately 460 KB, Windows only
The Broader Shift in the Stealer Ecosystem
Storm is part of a wider pattern. Server-side decryption is becoming the preferred approach for stealer developers looking to outpace endpoint detection, and session cookie theft has been gradually supplanting password theft as the primary objective. The stolen credentials and sessions harvested by tools like Storm are rarely the end goal in themselves — they are the entry point for what follows: logins from unfamiliar locations, lateral movement across internal networks, and data access patterns that diverge sharply from established baselines. Organizations that rely on MFA alone as a session security control should treat this trend as a serious prompt to reassess their detection strategies.
Source: BleepingComputer