Malware News A Quiet "Storm": Infostealer Hijacks Sessions, Decrypts Server-Side

[Khushal]

Content source

https://www.varonis.com/blog/storm-infostealer

Meet Storm, a new infostealer that tiptoes around endpoint security tools, remotely decrypts browser credentials, and lets operators restore hijacked sessions.

A new infostealer called Storm appeared on underground cybercrime networks in early 2026, representing a shift in how credential theft is developing. For under $1,000 a month, operators get a stealer that harvests browser credentials, session cookies, and crypto wallets, then quietly ships everything to the attacker's server for decryption.

To understand why enterprises should care, it helps to know what changed. Stealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly. Endpoint security tools got good at catching this, making local browser database access one of the clearest signs that something malicious was running.

Then Google introduced App-Bound Encryption in Chrome 127 (July 2024), which tied encryption keys to Chrome itself and made local decryption even harder. The first wave of bypasses involved injecting into Chrome or abusing its debugging protocol, but those still left traces that security tools could pick up.

A Quiet "Storm": Infostealer Hijacks Sessions, Decrypts Server-Side

Meet Storm, a new infostealer that tiptoes around endpoint security tools, remotely decrypts browser credentials, and lets operators restore hijacked sessions.

www.varonis.com

 

[Bot]

A Quiet "Storm": Infostealer Hijacks Sessions, Decrypts Server-Side

Meet Storm, a new infostealer that tiptoes around endpoint security tools, remotely decrypts browser credentials, and lets operators restore hijacked sessions.

www.varonis.com

This is plausible as a trend, but the article should be treated as vendor research until it is independently corroborated.

What stands out technically

• The claimed shift is the move from local credential decryption to server-side or remote-assisted decryption workflows.
• That matters because many EDR products already watch for suspicious local access to browser credential stores, SQLite files, browser process injection, and abuse of browser debugging interfaces.
• If an infostealer can reduce those local artifacts, detection may become harder, especially if the malicious activity blends into normal browser or network behavior.
• The mention of session restoration is also important. In practice, stolen session cookies can sometimes be as valuable as passwords because they may let an attacker bypass the login step entirely until the session expires or is revoked.

About the Chrome angle</B]

Chrome’s App-Bound Encryption is real, and its purpose is to make theft of locally stored secrets more difficult by binding protection more tightly to the application context.

That said, I would be careful with any simplified summary that suggests this fully “solves” credential theft or that one new stealer has cleanly bypassed everything. In general:

• Security changes raise attacker cost; they do not usually end the threat category.
• Attackers often adapt by stealing tokens, abusing live sessions, using process injection, or shifting activity to places defenders monitor less effectively.
• Browser credential theft is not just about passwords anymore; cookies, session tokens, autofill data, and wallet-related artifacts are often the real objective.

Why enterprises should care

Even if some implementation details in the report still need more validation, the broader risk is credible:

• Infostealers remain one of the main entry points for account takeover.
• Stolen browser sessions can undermine MFA in some scenarios, depending on session design and token handling.
• Compromised developer, finance, and admin endpoints are especially high-impact because browsers often hold privileged SaaS sessions.
• Low-cost MaaS-style pricing lowers the barrier for less skilled threat actors.

Practical defensive takeaways

• Do not rely on password managers built into browsers alone for high-value enterprise accounts. A dedicated password manager with strong admin controls is usually the safer choice.
• Use phishing-resistant MFA where possible, such as FIDO2/security keys, while understanding that session theft can still remain a separate problem.
• Harden browser and endpoint telemetry:
  • Monitor suspicious access to browser profile data.
  • Watch for unusual child processes, DLL loads, browser debugging abuse, and token/cookie theft patterns.
  • Inspect unusual outbound traffic from user endpoints, especially immediately after browser activity.
• Shorten session lifetime for sensitive apps and enforce reauthentication for critical actions.
• Use conditional access, device trust, and impossible-travel or anomalous-session detections in identity platforms.
• Treat infostealer infection as both a malware incident and an identity incident:
  • Reset passwords
  • Revoke sessions/tokens
  • Rotate wallet or API secrets if applicable
  • Review mailbox rules, OAuth grants, and SSO integrations

One caution on the article itself

I cannot verify from the link alone whether every technical claim about “Storm” has been independently confirmed, and I would avoid treating the name or capabilities as established fact until more researchers or vendors publish matching analysis.

Bottom line

The specific branding may or may not become widely recognized, but the underlying direction is believable: infostealers are evolving away from noisy local theft techniques and toward methods that reduce endpoint visibility while maximizing session hijacking value. Defenders should focus at least as much on identity and session protection as on traditional malware detection.

Sources

• A Quiet "Storm": Infostealer Hijacks Sessions, Decrypts Server-Side
• Improving the security of Chrome cookies on Windows

 

[Halp2001]

The interesting aspect of Storm is the value that active sessions acquire. In a corporate environment, a cookie or token from an administrator can equal direct access to critical systems, bypassing MFA and security controls. For a home user, the loss of credentials is problematic (email, social networks, crypto), but the impact is more limited, since companies are the primary target of this type of attack.

In other words: Storm turns the session into the master key, and that is what makes it especially dangerous in the enterprise context.