A newly identified infostealer known as “Storm” is drawing attention within cybersecurity circles for its ability to bypass traditional endpoint protections, remotely decrypt browser data, and restore hijacked user sessions. The malware, highlighted in recent threat research, represents a shift in how credential theft is executed and monetised.
A shift towards server-side decryption
Storm has appeared on underground cybercrime networks in early 2026, offering operators a tool that collects browser credentials, session cookies, and cryptocurrency wallet data, then transmits them to attacker-controlled servers for decryption. Unlike earlier methods that relied on local decryption using browser databases, this approach reduces the visibility of malicious activity on infected devices.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
The development follows changes introduced with App-Bound Encryption in Chrome 127, which made local decryption more difficult by tying encryption keys to the browser itself. While earlier bypass techniques involved injecting into Chrome or exploiting debugging protocols, these methods often left detectable traces. Storm’s server-side model removes many of these indicators, making detection more challenging.
Session hijacking and data harvesting capabilities
Once data is decrypted, Storm enables operators to restore authenticated sessions by feeding stolen tokens through its control panel. This allows access to accounts without requiring passwords or triggering typical authentication alerts. The system supports both Chromium and Gecko-based browsers, extending its reach across platforms.
The collected data includes saved passwords, session cookies, autofill entries, account tokens, credit card information, and browsing history. Access to such data can provide entry into software-as-a-service platforms, internal tools, and cloud environments. The malware also gathers documents, messaging data from platforms such as Telegram, Signal, and Discord, and targets cryptocurrency wallets through browser extensions and desktop applications.
Storm operates through a structured infrastructure in which operators connect private servers to central systems. Stolen data is routed through controlled nodes, insulating central servers from direct exposure. The platform also supports multiple users with role-based access, enabling coordinated operations.
Global reach and evolving cybercrime tactics
Analysis of operational logs indicates activity spanning multiple countries, including India, the United States, Brazil, Indonesia, Ecuador, and Vietnam. The data observed includes credentials linked to major online services and cryptocurrency platforms, suggesting broad targeting.
The tool is marketed on a subscription model, with pricing tiers ranging from short-term access to full team licences supporting multiple operators and builds. Notably, deployed instances continue functioning even after subscriptions expire, allowing continued data collection.
Security researchers note that Storm reflects a broader shift in the infostealer ecosystem, where session cookie theft is increasingly replacing password theft as a primary objective. The use of server-side decryption and automated session restoration enables attackers to bypass multi-factor authentication and maintain persistent access, raising concerns about detection and response capabilities across enterprise environments.
