New Infostealer Hijacks Sessions and Decrypts Servers

A new threat called Storm emerged on cybercrime forums in early 2026, signaling a significant evolution in credential theft. For a monthly subscription under $1,000, attackers gain access to a powerful infostealer that collects browser credentials, session cookies, and cryptocurrency wallet data. The malware then transmits this encrypted information to the attacker’s own servers for decryption, a method that bypasses many modern endpoint security defenses.

This represents a strategic pivot. Traditional stealers worked by decrypting browser data locally on the infected machine, a process that involved accessing browser databases directly. Security software became highly effective at detecting this activity, making local decryption a clear indicator of compromise. The landscape shifted further when Google rolled out App-Bound Encryption with Chrome 127, which tightly bound encryption keys to the browser process itself, raising the difficulty of on-device decryption.

In response, malware developers changed tactics. Instead of fighting local defenses, they began exfiltrating the encrypted browser files to their own infrastructure for processing. This removes the critical telemetry that endpoint detection tools rely on to spot credential theft. Storm adopts this server-side approach comprehensively, supporting both Chromium-based browsers and Gecko-based ones like Firefox. This contrasts with some contemporaries, like StealC V2, which still handles Firefox data locally.

The scope of collected data is extensive. Storm harvests saved passwords, session cookies, autofill details, Google account tokens, credit card information, and browsing history. With this data, a single compromised employee workstation can provide an attacker with authenticated access to corporate SaaS platforms, internal systems, and cloud environments, all without triggering a single password-related alert.

A key feature that sets Storm apart is its automated session hijacking capability. After server-side decryption, stolen credentials and cookies are presented in the attacker’s control panel. While most stealers require manual effort to use stolen logs, Storm streamlines the next phase of attack. By providing a stolen Google Refresh Token and a geographically appropriate proxy, an operator can use the panel to silently restore a victim’s authenticated session. This technique effectively bypasses multi-factor authentication (MFA) by leveraging valid, active sessions, a method previously documented in research on attacks against Microsoft 365 and Azure Entra ID.

Storm’s collection modules go beyond browsers. The malware can scoop up documents from user directories, extract session data from messaging apps like Telegram and Discord, and target cryptocurrency wallets via both browser extensions and desktop applications. It also captures system information and takes screenshots across multiple monitors. The stealer operates primarily in memory to minimize its forensic footprint.

Its infrastructure model is designed for resilience. Operators connect their own virtual private servers (VPS) to Storm’s central command servers. This means stolen data flows through infrastructure controlled by the individual attacker, not a shared platform. This architecture insulates the core servers from law enforcement takedowns, as any abuse complaints or investigations would first target the operator’s node. The platform supports team management with role-based permissions, allowing a single license to facilitate a small criminal operation with distinct roles for log review, malware build creation, and session restoration.

A feature called domain detection automatically categorizes stolen credentials by service, using visible rules for platforms like Google, Facebook, and major cryptocurrency exchanges. This allows attackers to quickly filter and prioritize high-value accounts for immediate exploitation.

Investigations into active campaigns reveal a logs panel containing over 1,700 entries from victims in India, the United States, Brazil, and several other countries. The variety of IP addresses, internet service providers, and data volumes suggests these are likely real compromises. Credentials linked to major social media and cryptocurrency platforms are prevalent, exactly the type of data that fuels account takeover fraud, financial theft, and provides initial access for more targeted network intrusions.

Storm is sold via a tiered subscription model: a $300 weekly demo, a $900 monthly standard license, and a $1,800 monthly team license supporting 100 users. Notably, deployed malware builds continue to operate and collect data even if the operator’s subscription lapses, creating persistent threats.

The rise of tools like Storm underscores a broader trend in the cybercrime ecosystem. Server-side decryption allows attackers to evade endpoint security tools tuned for local activity. Simultaneously, the theft of session cookies has increasingly supplanted password theft as a primary objective, as it provides immediate, authenticated access that bypasses MFA. The credentials and sessions harvested by these stealers are often just the beginning, leading to logins from unusual locations, lateral movement inside networks, and data access that violates normal behavioral patterns.

Key indicators for this threat include the forum handle “StormStealer,” a registration date of December 12, 2025, and a current version listed as v0.0.2.0. Its builds are written in C++, compiled with MSVC/msbuild, result in a file roughly 460 KB in size, and are designed exclusively for the Windows operating system.