Storm Infostealer Emerges as Next-Gen Threat, Bypassing Traditional Defenses with Server-Side Credential Theft

In early 2026, a new infostealer known as Storm started circulating in underground cybercrime forums, and it quickly caught the attention of security researchers. This tool reflects a clear shift in how attackers are stealing credentials and bypassing modern defenses. For less than $1,000 per month, cybercriminals can access a powerful platform that extracts browser credentials, session cookies, and cryptocurrency wallet data, then transfers it quietly to attacker-controlled servers for decryption.

To understand why Storm matters, it’s important to look at how credential theft techniques have changed over time. Traditionally, infostealers decrypted browser data directly on the victim’s device. They relied on accessing browser databases, often using SQLite libraries, which made detection easier. Security tools became highly effective at spotting this behavior, as local database access became a strong indicator of malicious activity.

Things started to change when Chrome introduced App-Bound Encryption in version 127 (July 2024). This feature tied encryption keys more tightly to the browser, making it harder for attackers to decrypt data locally. Early bypass techniques involved injecting malicious code into the browser or exploiting debugging features, but these methods still left traces that endpoint detection systems could catch.

Storm represents the next step in this evolution. Instead of decrypting data on the infected machine, it simply collects encrypted files and sends them to external infrastructure controlled by the attacker. This removes many of the behavioral signals security tools rely on. What makes Storm even more capable is its support for both Chromium-based browsers and Gecko-based ones like Firefox, Waterfox, and Pale Moon, all handled server-side.

The type of data collected is extensive. Storm can extract saved passwords, cookies, autofill entries, credit card details, browsing history, and authentication tokens. With this information, attackers don’t always need passwords anymore. A single compromised browser session can grant direct access to SaaS applications, internal tools, and even cloud environments without raising alerts.

One of Storm’s most concerning features is its ability to automate session hijacking. Once data is decrypted, it appears in a control panel where operators can immediately reuse it. By supplying a Google Refresh Token along with a matching SOCKS5 proxy, attackers can restore a victim’s session without triggering login warnings. This makes multi-factor authentication far less effective, as access is gained through already authenticated sessions.

Beyond browser data, Storm also targets user files, messaging platforms like Telegram, Signal, and Discord, and cryptocurrency wallets from both browser extensions and desktop apps. It collects system information and even captures screenshots across multiple monitors. All of this runs in memory, which reduces its footprint and makes detection harder.

From an infrastructure perspective, Storm uses a decentralized model. Operators connect their own VPS nodes, meaning stolen data flows through systems they control rather than a central server. This setup complicates takedown efforts, as law enforcement actions are more likely to hit individual operators instead of the core service.

The platform also supports team-based operations. Multiple users can work under a single license, each with different permissions. Features like automatic domain tagging help attackers quickly sort stolen credentials from services such as Google, Facebook, Twitter/X, and cPanel.

At the time of analysis, the control panel showed over 1,700 logs from countries including India, the United States, Brazil, Indonesia, Ecuador, and Vietnam. The diversity of data suggests active campaigns rather than isolated testing. Many entries included credentials linked to major platforms and crypto services, which are often resold or used for further attacks.

Storm operates on a subscription model: $300 for a 7-day trial, $900 per month for standard use, and $1,800 per month for team access with expanded capabilities. Notably, once deployed, the malware continues running even if the subscription ends.

Cookie restore panel with a completed session hijack, Source : Varonis

Indicators of Compromise (IOCs)

Forum handle: StormStealer
Forum ID: 221756
Account registered: 12/12/25
Current version: v0.0.2.0 (Gunnar)
Build characteristics: C++ (MSVC/msbuild), ~460 KB, Windows only

Our Take on the Storm Infostealer

Storm highlights a deeper problem in modern cybersecurity: defenses are still heavily focused on detecting actions at the endpoint, while attackers are steadily moving critical operations off the device. By shifting decryption and processing to external servers, tools like Storm avoid many of the traditional detection methods that organizations rely on. This isn’t just a technical improvement—it’s a strategic one.

What makes this especially concerning is the growing importance of session-based attacks. Passwords are no longer the primary target; active sessions are. If an attacker can hijack a valid session, they can bypass authentication layers entirely, including MFA. This challenges one of the core assumptions many organizations still depend on.

Another worrying trend is accessibility. Storm is not a highly specialized tool reserved for elite threat actors. Its subscription model, user-friendly panel, and team features make it available to a wide range of cybercriminals. This lowers the barrier to entry and increases the scale of potential attacks.

In our view, organizations need to rethink how they approach detection. Monitoring session behavior, enforcing strict device binding, and improving anomaly detection will become more important than simply protecting credentials. Storm is not just another infostealer—it’s a signal that the threat landscape is shifting, and defenses need to evolve just as quickly.