‘Storm’ infostealer changes tactics

A browser cookie is a site’s “keep me signed in” stub, and a new infostealer called Storm is built to steal those stubs instead of cracking passwords on the victim’s computer. (developer.mozilla.org) (varonis.com) Varonis Threat Labs said in an April 2026 report that Storm collects encrypted browser data and sends it to attacker-controlled servers for decryption, rather than decrypting it on the infected device. The researchers said that shift lets the malware avoid many endpoint detections that watch for local access to browser credential stores. (varonis.com) (bleepingcomputer.com) Storm’s operators advertised support for Chromium-based browsers and Gecko-based browsers, including Firefox, Waterfox and Pale Moon, according to Varonis. The data listed in the report includes saved passwords, session cookies, autofill entries, Google account tokens, credit card data and browsing history. (varonis.com) (infosecurity-magazine.com) A session cookie works like a wristband at a concert: once the site has checked your password and multi-factor authentication, the cookie tells the site you already passed the gate. If an attacker steals that cookie and reuses it, the attacker can often act as the logged-in user without triggering a fresh multi-factor authentication challenge. (developer.mozilla.org) (varonis.com) That makes Storm part of a broader shift from password theft to session theft. Varonis said one compromised employee browser can hand an operator authenticated access to software-as-a-service platforms, internal tools and cloud environments without a password-based alert. (varonis.com) (bleepingcomputer.com) The timing tracks changes in browser defenses. Google said Chrome 127, released in July 2024, introduced Application-Bound Encryption on Windows for cookies, tying decryption to the Chrome app instead of any program running as the signed-in user. (security.googleblog.com 1) (security.googleblog.com 2) Google also said attackers responded by abusing Chrome’s remote debugging features to extract cookies after Application-Bound Encryption shipped. Varonis said Storm goes a step further by shipping encrypted files off the machine and handling decryption on attacker infrastructure. (developer.chrome.com) (varonis.com) Varonis said Storm automates the takeover step inside an operator panel: the buyer can feed in a Google refresh token and a geographically matched SOCKS5 proxy to restore the victim’s authenticated session. BleepingComputer reported that this lowers the skill needed to turn stolen browser data into live account access. (varonis.com) (bleepingcomputer.com) Storm is not the first infostealer to chase browser data, but its server-side decryption model shows how quickly malware authors are adapting to browser hardening. The practical result is that a stolen session can still open the door after the password and multi-factor authentication check are over. (security.googleblog.com) (varonis.com)