The Silent Storm: New Infostealer Hijacks Sessions, Decrypts Server-Side

THE SILENT “STORM”: NEW INFOSTEALER HIJACKS SESSIONS, DECRYPTS SERVER-SIDE

1. Introduction

• A new infostealer named Storm emerged on underground cybercrime networks in early 2026, signaling a shift in how credential theft is conducted.
• For under $1,000 per month, operators access a stealer that harvests browser credentials, session cookies, and crypto wallets, then quietly transmits data to the attacker’s server for decryption and use.
• The development reflects a move away from on‑device decryption toward centralized, server‑side processing that can evade many endpoint defenses.

1. Why this matters: what changed in the credential theft landscape

• Traditional stealer behavior relied on decrypting browser data on the victim machine by loading SQLite libraries and accessing credential stores directly.
• Endpoint security tools became adept at spotting local decryption activity, making such on‑device access a recognizable attack signal.
• Google introduced App‑Bound Encryption in Chrome 127 (July 2024), tying encryption keys to Chrome itself and complicating local decryption. Early bypasses involved injecting into Chrome or abusing debugging interfaces, but those methods still left detectable traces.
• In response, stealer developers began shipping encrypted data back to their own infrastructure for decryption, reducing reliance on local telemetry that security tools watch for.
• Storm pushes this further by handling both Chromium‑ and Gecko‑based browsers (including Firefox, Waterfox, and Pale Moon) on the server side, while competing product lines like StealC V2 continue to decrypt Firefox locally.
• The net effect: stolen data is encrypted and transmitted off‑device, reducing the chance of detection during the decryption phase and enabling broader cross‑browser coverage.

1. Data collected: what Storm grabs

• The stealer harvests a comprehensive set of credentials and artifacts to enable remote hijacking and account access.
• Key data types include saved passwords, session cookies, autofill data, Google account tokens, credit card data, and browsing history.
• In addition to login information, Storm aims to capture other artifacts that support credential reuse and persistence across services.

1. Cookie restore and session hijacking: the automation edge

• After decryption, credentials and session cookies are dumped into the operator’s control panel.
• Unlike some competing tools that require manual replay of stolen logs, Storm automates the next phase of the attack.
• A typical workflow involves using a Google Refresh Token together with a geographically matched SOCKS5 proxy to silently restore an active session on the victim’s account.
• This approach mirrors earlier research showing how stolen session tokens can bypass multi‑factor authentication in practice, enabling continued access without requiring a password.
• The server‑side, automated cookie restoration enables rapid access to cloud services and web apps once an attacker has a valid session.

1. Introduction of a related security context: Interceptor as a companion idea

• The landscape of email threats is evolving with AI‑driven capabilities that enable more deceptive campaigns.
• Concepts and products in the space illustrate how modern threat actors pursue defense‑evading avenues, including AI‑native approaches to security that respond to sophisticated threats before they reach an inbox.
• While not a direct component of Storm, this context helps explain why organizations are increasingly focusing on AI‑assisted security tools and proactive defenses.

1. Collection and infrastructure: how Storm operates at scale

• Storm expands beyond credentials to grab documents from user directories and to harvest session data from messaging platforms such as Telegram, Signal, and Discord.
• The malware targets crypto wallets through both browser extensions and desktop applications, and it records system information and screenshots across multiple monitors.
• To minimize detection, everything runs in memory rather than writing to disk.
• On the infrastructure side, operators connect their own virtual private servers (VPS) to Storm’s central servers, routing stolen data through infrastructure they control. This architectural choice helps insulate the core servers from takedowns and law‑enforcement actions because abuse reports or seizures tend to hit the operator’s node first.
• Storm includes team management features that support multiple workers, with permissions for log access, build creation, and cookie restoration, enabling a single license to support a small, segmented operation.
• Domain detection rules tag credentials by service (Google, Facebook, Twitter/X, and cPanel), allowing operators to quickly filter and prioritize accounts for exploitation.

1. Active campaigns and pricing: how Storm is offered

• Investigative logs for Storm show activity across a broad geographic footprint, including India, the United States, Brazil, Indonesia, Ecuador, Vietnam, and other regions.
• A variety of credential types appear in the data set, including tokens and login data for Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com—data that commonly enters credential marketplaces and is used for account takeover and initial access campaigns.
• Storm is sold as a tiered subscription:
• $300 for a 7‑day demo
• $900 per month for standard access
• $1,800 per month for a team license with up to 100 operator seats and 200 builds
• A cryptor is required on top of the base product.
• Notably, builds may continue to harvest data even after a subscription expires, enabling continued data collection independent of license status.

1. Detecting stolen sessions: trends in the market

• Storm represents part of a broader shift toward server‑side decryption and away from on‑device credential theft.
• By removing the need to decrypt locally, attackers can evade many endpoint monitoring tools that detect local credential extraction.
• Session cookies and tokens increasingly become the primary objective, enabling login from unfamiliar locations and broader lateral movement within networks and cloud environments.

1. Indicators of compromise (IoCs)

• Forum handle: StormStealer
• Forum ID: 221756
• Account registered: 12/12/25
• Current version: v0.0.2.0 (Gunnar)
• Build characteristics: C++ (MSVC/msbuild), approximately 460 KB, Windows‑only
• Context note: the article and details originate from security researchers describing Storm and its marketplace presence.

1. Context and provenance (article framing)

• The material reflects a security research narrative that situates Storm within known patterns of credential theft, session hijacking, and cross‑platform data collection.
• The information highlights how modernInfostealers are evolving to consolidate decryption and data exfiltration in centralized infrastructure, with a focus on automation and scalability.

1. Summary of implications

• The server‑side decryption model shifts the balance of visibility in security monitoring, reducing local telemetry signals that defenders commonly rely on to detect credential theft.
• The emphasis on session cookies and tokens as primary targets suggests defenders should prioritize robust monitoring of unusual session activity, cross‑location logins, and token usage anomalies.
• The distributed infrastructure model used by Storm underscores the importance of threat intelligence that can map attacker ecosystems, infrastructure ownership, and the lifecycle of compromised accounts across services.

1. Notes on scope and limitations

• The data described here reflects observed activity as of early 2026 and may evolve as threat actors adjust tooling and pricing.
• The landscape includes multiple threat actors and products, with Storm representing a notable example of server‑side decryption and automated session hijacking.

1. Indicators of compromise: quick reference

• Forum handle: StormStealer
• Forum ID: 221756
• Account registered: 12/12/25
• Current version: v0.0.2.0 (Gunnar)
• Build characteristics: C++ (MSVC/msbuild), Windows only, ~460 KB

1. Final note

• The evolution of infostealers toward server‑side processing and automated session restoration marks a meaningful shift in how credential theft is conducted and monetized. As attackers move toward more scalable, private infrastructure and cross‑browser coverage, defenders are challenged to adapt with proactive monitoring, rapid incident response, and threat intelligence that tracks attacker tooling and marketplace dynamics.