Storm Infostealer Ships Your Browser Credentials Home Before Decrypting Them
| Group | Unknown cybercriminal operator(s); attribution unconfirmed |
| Type | Infostealer-as-a-Service |
| Malware | Storm; a session-hijacking credential stealer that exfiltrates encrypted browser data to attacker infrastructure for server-side decryption, bypassing Chrome App-Bound Encryption and endpoint detection |
| Score | 🟠8.5 High. Actively deployed against confirmed victims across at least six countries, defeats Google Chrome's App-Bound Encryption, renders MFA ineffective through automated session hijacking, and is available for under $1,000 per month |
| Observed | 13 April 2026 |
Overview
Storm is a newly discovered infostealer-as-a-service that emerged on underground cybercrime forums in early 2026. It represents a meaningful shift in how credential theft works operationally. Rather than decrypting stolen browser data on the victim's machine, Storm packages the encrypted credential stores and ships them directly to attacker-controlled infrastructure, where decryption happens server-side. This single architectural decision allows Storm to evade the entire class of endpoint detection designed to catch infostealers performing local database access.
The malware is sold on a subscription model, starting at $300 for a seven-day demo and available for under $1,000 per month on underground criminal forums. This pricing makes Storm accessible to a wide range of criminal operators, from individuals testing the capability to groups running coordinated campaigns across multiple targets. Varonis researchers uncovered an active victim log panel showing 1,715 confirmed entries from Brazil, Ecuador, India, Indonesia, the United States, Vietnam, and the United Kingdom, confirming the malware is already deployed in the wild at scale.
Beyond credentials, Storm targets session cookies, Google account Refresh Tokens, crypto wallet data, messaging platform sessions from Telegram, Signal, and Discord, and documents from user directories. Its automated session hijacking module pairs a stolen Google Refresh Token with a geographically matched SOCKS5 proxy and silently restores the victim's authenticated browser session on the attacker's machine. From that point, the attacker holds authenticated access to every SaaS platform, internal tool, and cloud environment the victim was logged into, without ever attempting a password-based login and without triggering a multi-factor authentication prompt.
The defining risk Storm presents is not just the breadth of data it collects. It is the way it converts credential theft into persistent, authenticated access. A single compromised employee browser can expose an organisation's entire SaaS estate silently, and no password reset addresses the threat once an active session has been replayed.
Key Details
Delivery Method – Underground cybercrime forum distribution; exact delivery vectors used by individual operators vary and may include phishing, trojanised software installers, or malvertising (single source, verify before actioning)
Target – Broad; confirmed victims across six countries spanning financial services, cryptocurrency, and general enterprise environments; individual consumers and corporate users are both targeted given the breadth of platform credentials harvested
Functions
- Steals saved browser passwords, autofill data, credit card details, and browsing history from Chromium-based browsers (Chrome, Edge, Brave) and Gecko-based browsers (Firefox, Waterfox, Pale Moon)
- Exfiltrates encrypted browser credential stores to C2 infrastructure for server-side decryption, bypassing Google Chrome's App-Bound Encryption
- Harvests session cookies to enable authenticated session replay without triggering MFA
- Steals Google account Refresh Tokens, paired with geo-matched SOCKS5 proxies for silent session restoration
- Captures screenshots of the victim's desktop at time of infection
- Exfiltrates documents from user directories
- Extracts session tokens and account data from Telegram, Signal, and Discord
- Targets cryptocurrency wallets through both browser extensions and desktop wallet applications
- Harvests credentials for Coinbase, Binance, Blockchain.com, and Crypto.com
Obfuscation – Storm applies a weak or custom encryption scheme to package stolen data before transmission, ensuring no cleartext credentials exist on the endpoint and leaving minimal telemetry for endpoint detection tools to act on
Attack Vectors
Storm reaches victims through operator-chosen delivery methods purchased as part of the subscription service. The specific initial access vector is not yet fully documented across all campaigns, though researchers note it is consistent with the broader ecosystem of phishing lures, trojanised software installers, and drive-by downloads that the infostealer-as-a-service market relies on. Individual operators acquire the malware and run their own campaigns, meaning delivery methods will vary across incidents.
Stage 1 — Execution: Once the Storm binary runs on a victim machine, it begins a quiet reconnaissance phase, enumerating installed browsers, wallet applications, and messaging clients. It does not attempt to open or decrypt local browser credential databases in a way that triggers endpoint behavioural signatures. Instead, it identifies the file paths for Chrome's Login Data, Cookies, and Local State files, along with equivalent stores for Edge, Firefox, Waterfox, and Pale Moon.
Stage 2 — Data Packaging and Exfiltration: Rather than loading SQLite libraries or calling Windows credential APIs to decrypt data locally, Storm applies its own lightweight encryption or obfuscation layer to the raw encrypted credential files and exfiltrates them over the C2 channel. The critical distinction is that the plaintext credentials never exist on the victim machine. Decryption only occurs on the operator's C2 infrastructure, which holds the true decryption key. This approach sidesteps Google's App-Bound Encryption, which binds Chrome's encryption keys to the Chrome process itself and was introduced in Chrome 127 in July 2024 specifically to defeat local credential theft.
Stage 3 — Session Hijacking Automation: The Storm operator panel accepts a stolen Google Refresh Token and an operator-supplied SOCKS5 proxy address. The panel silently restores the victim's authenticated Google session, sourcing the connection from a proxy that appears geographically aligned with the victim's location. This defeats location-based anomaly detection. The operator then holds a live, authenticated session to every service the victim accesses via that Google account, including Google Workspace, any SSO-integrated SaaS platforms, and any services where the victim's browser was already authenticated.
Stage 4 — Crypto and Messaging Harvesting: In parallel, Storm extracts wallet seed phrases and private keys from browser extension wallets and desktop applications, and pulls active session tokens from Telegram, Signal, and Discord. These are exfiltrated through the same C2 channel and provide immediate access to the victim's communication accounts and cryptocurrency holdings without any further exploitation step.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
File Hashes
Specific Storm malware sample hashes have not been publicly released at the time of writing. Organisations should query current threat intelligence platforms and VirusTotal for the string "Storm infostealer" and check the Varonis Threat Labs full technical report for any hashes released after initial publication.
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1539 | Steal Web Session Cookie | Core capability; Storm exfiltrates session cookies for all active browser sessions to enable authenticated replay without triggering MFA |
| T1528 | Steal Application Access Token | Google Refresh Tokens stolen and used with geo-matched SOCKS5 proxies to silently restore authenticated Google sessions on attacker infrastructure |
| T1555.003 | Credentials from Web Browsers | Saved passwords, autofill, and credit card data harvested from Chrome, Edge, Firefox, Waterfox, and Pale Moon |
| T1041 | Exfiltration Over C2 Channel | Encrypted credential stores shipped to C2 for server-side decryption; cleartext credentials never exist on the victim endpoint |
| T1027 | Obfuscated Files or Information | Custom or weak encryption applied to stolen data packages before transmission to reduce endpoint telemetry |
| T1090.003 | Proxy: Multi-hop Proxy | Geo-matched SOCKS5 proxies used during session hijacking to make attacker connections appear to originate from the victim's geographic region |
| T1185 | Browser Session Hijacking | Automated module restores victim's authenticated browser sessions on attacker-controlled infrastructure using stolen cookies and tokens |
| T1552.001 | Credentials In Files | Exfiltration of document files from user directories alongside credential stores |
Mitigation and Prevention
Enforce Browser Credential Storage Policies
Disable browser-based password saving across your organisation using Group Policy or MDM. Move all credential storage to an enterprise password manager that uses hardware-bound keys or FIDO2 authentication. Storm specifically targets browser-native credential stores; removing those stores removes the primary data source.
Deploy Session Token Protections
Configure identity providers and SaaS platforms to bind sessions to device identity, IP range, or hardware token rather than session cookie alone. Platforms that support Continuous Access Evaluation (CAE), such as Microsoft Entra ID and Google Workspace, should have it enabled. CAE revokes sessions in near-real-time when policy conditions change, limiting how long a stolen session token remains usable.
Monitor for Anomalous Session Replay
Implement UEBA rules that flag authenticated sessions originating from a new device, unexpected geolocation, or SOCKS5 or residential proxy infrastructure even when the session cookie is valid and no MFA prompt was triggered. Storm's SOCKS5 geo-matching attempts to fool coarse location checks, but fine-grained device fingerprint mismatches will still surface the anomaly.
Restrict Crypto Wallet Browser Extensions
Audit and remove browser-based crypto wallet extensions from corporate-managed devices. Desktop wallet applications should be isolated on dedicated, network-segmented machines not used for general browsing or email. Storm explicitly targets both categories; reducing the attack surface requires removing extensions from browsers that also hold corporate credentials.
Apply Chrome App-Bound Encryption and Keep Browsers Updated
Ensure Chrome is on version 127 or later across all managed endpoints. While Storm bypasses App-Bound Encryption through server-side processing of raw credential files, remaining on an unpatched browser removes even the baseline protections. Pair this with blocking the --disable-features=AppBoundEncryptionMetrics flag via enterprise policy to prevent a trivial bypass of the protection entirely.
Harden Messaging Platform Sessions
Require re-authentication for Telegram, Discord, and Signal on any new device sign-in, and enable session management features that allow users to view and revoke active sessions. Provide guidance to all staff on auditing active sessions periodically. Storm's exfiltration of messaging session tokens can give attackers access to internal team communications, sensitive file transfers, and social engineering opportunities targeting colleagues.
Audit Underground Forum Exposure
Use a dark web monitoring service to check whether your organisation's domain or employee credentials appear in infostealer log dumps being traded on criminal forums. Storm's logs panel confirmed 1,715 active victim entries at the time of discovery; those logs will be sold or used for further access. Early detection of leaked credentials allows for pre-emptive session revocation and password resets before an attacker acts on them.
Risk Assessment
Storm's server-side decryption architecture is the most significant technical development in the infostealer market since Google introduced App-Bound Encryption. The security community spent late 2024 and early 2025 watching competing infostealers struggle to adapt to that control, with many releasing hastily patched updates or shifting to kernel-level techniques to access credential stores. Storm bypassed the problem entirely by changing where decryption happens. This is a design philosophy shift, and it will likely be replicated across other stealer families in the months ahead.
The scale of confirmed activity is significant even at this early stage. Varonis Threat Labs observed 1,715 victim log entries across six countries in an active panel, and that represents only the visibility available through a single research engagement. The stealer-as-a-service model means an unknown number of operators are running independent campaigns using Storm infrastructure, each with their own victim pools. The combination of broad browser support, messaging app harvesting, crypto wallet targeting, and automated session hijacking means a single infection event exposes the victim across personal finance, workplace SaaS, and personal communications simultaneously.
The MFA bypass dimension is the most operationally dangerous element for enterprise defenders. Organisations that have invested heavily in MFA rollout as a primary identity control are not protected against session cookie theft. Storm makes that gap concrete and commercially accessible. Once a valid session cookie is in the operator's panel, the MFA control is irrelevant and no further exploitation is needed to access the victim's corporate environment.
Conclusion
The single most important action organisations should take immediately is auditing whether session-level controls such as device-bound sessions, Continuous Access Evaluation, and conditional access policies are enforced across every SaaS platform with access to sensitive data. Password resets and MFA rollouts do not address the threat Storm presents once a session is already in attacker hands.
Storm signals where the infostealer market is heading. The subscription model lowers the barrier to entry, the server-side architecture defeats a generation of endpoint detection logic, and the session hijacking automation converts theft into access at machine speed. Defenders who treat credential theft as a problem solved by MFA will find themselves on the wrong side of that assumption as Storm and its successors proliferate.