Storm Infostealer Emerges: A New Server-Side Credential Theft and Session Hijacking

Introduction

The cybersecurity landscape in early 2026 has been disrupted by a new and highly sophisticated infostealer known as Storm. Emerging across underground cybercrime forums, Storm represents a significant evolution in credential theft, shifting away from traditional local decryption techniques toward a fully server-side attack model. With subscription pricing under $1,000 per month, this malware-as-a-service platform gives cybercriminals streamlined access to stolen credentials, session cookies, crypto wallets, and sensitive application data. Its design reflects a broader transformation in the infostealer ecosystem, where stealth, automation, and scalability are becoming more important than ever.

Summary of the Original

Storm is a newly discovered infostealer circulating on cybercrime marketplaces since early 2026. It is offered as a subscription-based service costing around $900 per month, with cheaper short-term and enterprise-tier options available. The malware is designed to harvest browser-stored credentials, session cookies, autofill data, cryptocurrency wallet information, and browsing history from infected machines.

Unlike older stealers that decrypted browser databases locally on the victim’s system, Storm avoids local decryption entirely. Instead, it collects encrypted data and sends it to attacker-controlled infrastructure for processing. This shift is largely a response to security improvements such as Google Chrome’s App-Bound Encryption introduced in Chrome 127, which made local credential extraction significantly harder and easier to detect.

Storm supports both Chromium-based and Gecko-based browsers, including Firefox and its derivatives. While some competing tools still process Firefox data locally, Storm standardizes server-side handling across platforms. This allows attackers to bypass many endpoint detection systems that rely on monitoring local SQLite database access or credential store interactions.

The malware is capable of extracting a wide range of sensitive data, including saved passwords, session cookies, Google tokens, credit card details, and autofill information. This enables attackers to hijack active sessions and gain immediate access to SaaS platforms, enterprise tools, and cloud environments without triggering traditional authentication alerts.

A major feature of Storm is its automated session hijacking capability. Once cookies and tokens are decrypted, attackers can inject them into their panel and restore authenticated sessions. When combined with geographically matched SOCKS5 proxies and refresh tokens, attackers can impersonate victims with high accuracy.

Research from Varonis Threat Labs has shown how stolen session cookies can bypass multi-factor authentication entirely, making session theft more dangerous than password theft. Storm operationalizes this concept by integrating cookie restoration as a built-in feature rather than a manual process.

Beyond browser data, Storm also collects files from user directories, messaging app session data from platforms like Telegram, Signal, and Discord, and cryptocurrency wallet data from both extensions and desktop applications. It can also capture screenshots across multiple monitors and gather system-level information, all executed in memory to reduce forensic traces.

Operationally, Storm allows cybercriminals to connect their own VPS infrastructure to route stolen data, insulating the central service from takedowns. It also includes multi-user management features, enabling coordinated cybercriminal teams with role-based access to logs, builds, and session tools.

The logs panel reportedly shows over 1,700 entries spanning multiple countries, including India, the United States, Brazil, Indonesia, Ecuador, and Vietnam. These entries include credentials tied to major platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, and Crypto.com.

Storm is marketed with tiered pricing, including a $300 trial, $900 monthly subscription, and $1,800 team license supporting up to 100 operators. A separate crypter is required for deployment. Notably, malware builds continue functioning even after subscriptions expire.

Overall, Storm reflects a broader shift in the infostealer ecosystem toward server-side processing, automated session hijacking, and subscription-based cybercrime services that lower the barrier to entry for attackers while increasing operational efficiency.

What Undercode Say:

Storm is not just another infostealer; it is a clear indicator that credential theft has entered a more industrialized phase. The most important shift is the removal of local decryption. For years, endpoint security tools relied heavily on detecting suspicious access to browser storage, SQLite databases, or credential vaults. Storm eliminates that signal entirely by exporting encrypted data and moving all sensitive processing to attacker-controlled infrastructure.

This architectural change is subtle but extremely impactful. It breaks a major detection strategy used by EDR and antivirus solutions. Instead of looking for decryption activity on endpoints, defenders are now forced to identify unusual data exfiltration patterns, which are inherently harder to detect in real time.

Another critical evolution is the normalization of session hijacking as the primary attack outcome. Password theft is no longer sufficient in modern enterprise environments because of MFA adoption. Storm directly targets session cookies and refresh tokens, effectively bypassing authentication layers without needing credentials at all.

The automation of cookie restoration is particularly concerning. Previously, attackers needed technical expertise to replay stolen sessions. Now, Storm integrates this into its operator panel, turning advanced exploitation into a one-click function. This dramatically increases the scalability of attacks and lowers the skill threshold for cybercriminals.

The inclusion of multi-platform support, especially Chromium and Gecko browsers, shows that developers are aiming for maximum coverage across user ecosystems. This reduces fragmentation and ensures stolen data remains usable regardless of browser choice.

From a defensive perspective, this represents a shift from endpoint-centric security to identity-centric security. Organizations can no longer rely solely on device monitoring. Instead, continuous authentication, session validation, and behavioral analytics become essential.

The integration of messaging app data theft also signals an expansion beyond browser-focused attacks. By targeting Telegram, Signal, and Discord sessions, Storm extends its reach into communication channels often used for business coordination and sensitive exchanges.

Infrastructure decentralization is another key evolution. By allowing operators to use their own VPS systems, Storm reduces the risk of takedown operations affecting the entire ecosystem. This mirrors trends seen in other malware-as-a-service platforms, where modular architecture improves resilience.

The pricing model also reflects a maturing cybercrime economy. Subscription tiers, team licenses, and trial access mimic legitimate SaaS businesses. This commercialization lowers barriers to entry, allowing even low-skilled attackers to deploy sophisticated attacks.

Ultimately, Storm represents a convergence of automation, stealth, and service-based cybercrime. It is less about raw malware capability and more about delivering a complete attack platform.

Fact Checker Results

Storm’s described capabilities align with known trends in modern infostealer evolution toward server-side processing and session hijacking.
The claim that MFA can be bypassed via stolen session cookies is consistent with documented attack techniques.
Exact infection counts, pricing tiers, and panel statistics cannot be independently verified from underground sources.

Prediction

Storm-like infostealers will likely push cybersecurity defenses toward real-time session validation systems and continuous authentication models.
Expect increased adoption of token-binding and device-identity enforcement to reduce the impact of stolen cookies.
Cybercrime platforms will continue evolving into SaaS-style ecosystems, making advanced attacks more accessible and automated than ever before.