‘Storm’ infostealer bypasses MFA

A browser session is the digital wristband a site gives you after you log in. Researchers say a new infostealer called Storm steals that wristband, letting attackers walk past multi-factor authentication without asking for another code. (varonis.com) Varonis Threat Labs said Storm appeared on underground cybercrime networks in early 2026 and rents for under $1,000 a month. The malware collects browser credentials, session cookies, crypto wallet data, and other browser files, then sends them to attacker infrastructure instead of trying to unlock them on the victim’s computer. (varonis.com) (forbes.com) That design targets the point after login, not the password prompt itself. Varonis said Storm can restore a hijacked session by feeding a stolen Google refresh token into its operator panel with a geographically matched SOCKS5 proxy, so the attacker inherits an already authenticated browser session. (varonis.com) Older stealers often tried to decrypt browser data on the infected machine, which created behavior that endpoint security tools could spot. Google said Chrome 127, released in July 2024, added App-Bound Encryption on Windows to tie cookie protection to the browser’s identity rather than any program running as the logged-in user. (security.googleblog.com) Varonis said Storm sidesteps that local tripwire by shipping encrypted browser files to attacker servers for server-side processing. The firm said Storm handles both Chromium browsers and Gecko-based browsers such as Firefox, Waterfox, and Pale Moon this way. (varonis.com) The practical effect is that multi-factor authentication can still work exactly as designed during login and still fail to stop account takeover afterward. Varonis said one compromised employee browser can hand over authenticated access to software-as-a-service platforms, internal tools, and cloud environments without triggering a password-based alert. (varonis.com) Storm’s operators are also selling more than browser access. Forbes, citing the Varonis research, said the malware grabs documents from user directories, extracts session data from Telegram, Signal, and Discord, targets browser-extension and desktop crypto wallets, and captures system information and screenshots across multiple monitors. (forbes.com) Session hijacking is not new, but the emphasis on live session material has grown as browsers hardened local storage. Varonis linked Storm to the same broader problem it described in earlier research on stolen Microsoft 365 and Azure Entra ID session cookies, where the attacker uses a valid session artifact instead of re-entering a password. (varonis.com 1) (varonis.com 2) The immediate lesson is narrower than “multi-factor authentication is broken.” Storm works by stealing the proof that a login already happened, and Varonis’s report says that proof now has enough value for attackers to rent a purpose-built tool to capture, export, and reuse it. (varonis.com)