A new malware called Storm infostealer appeared on criminal underground markets in early 2026, and it works differently from anything most security tools are built to catch. Instead of decrypting stolen browser data on the victim’s machine, Storm ships the encrypted data to attacker-controlled servers and decrypts it there. Defenders have no visibility into that infrastructure. By the time the theft is complete, the most detectable part of the attack has already happened somewhere else.
How Infostealers Used to Work
To understand why Storm matters, it helps to know what came before it. Traditional infostealers accessed browser credential stores directly on the victim’s device. They loaded local libraries, queried SQLite databases, and pulled out saved passwords on the spot. Endpoint security tools caught on to this pattern. Local database access, process injection into browser memory, and suspicious system calls all became reliable detection signals.
Then Google raised the bar. In July 2024, Chrome 127 introduced App-Bound Encryption, which tied browser encryption keys to Chrome itself. Local decryption became much harder for attackers. Those who tried to work around it through browser injection or debugging interfaces left traces that defenders could detect. Storm took a different path and moved the problem off the victim’s machine entirely.
What the Storm Infostealer Actually Does
Storm collects encrypted browser data from the victim’s device and sends it to attacker-controlled infrastructure. Decryption happens server-side, on hardware that only the attacker can access. There are no suspicious library loads on the victim’s machine. No system calls flag as malicious. No process touches the browser’s credential files in a detectable way. Storm also runs entirely in memory and writes nothing to disk, so its footprint stays minimal.
The malware collects saved passwords, session cookies, autofill entries, Google account tokens, credit card data, and browsing history. It also grabs documents from user directories, captures screenshots across multiple monitors, and pulls session data from Telegram, Signal, and Discord. Storm targets crypto wallets through both browser extensions and desktop apps. It supports Chromium-based browsers like Chrome and Edge, and Gecko-based browsers like Firefox, Waterfox, and Pale Moon. All decryption for every browser happens server-side.
Session Hijacking Without a Password
After the attacker’s server decrypts the stolen data, everything lands in an operator control panel. Most infostealers stop there and leave buyers to replay stolen logs manually. Storm automates the next step. Operators feed a Google Refresh Token into the panel along with a SOCKS5 proxy that matches the victim’s location. The panel then silently restores the victim’s authenticated browser session. No password is needed. No MFA prompt appears.
One compromised employee browser can give an attacker authenticated access to SaaS platforms, internal tools, and cloud environments. None of it triggers a password-based alert, because no password changes hands. Researchers found 1,715 panel entries from Brazil, Ecuador, India, Indonesia, the United States, and Vietnam. The range of IP addresses, internet providers, and data volumes points to active campaigns rather than test data.
A Criminal Business Built for Scale
Storm sells for under $1,000 per month as a malware-as-a-service product. That price attracts a wide range of operators, including less experienced ones. Operators connect their own virtual private servers to Storm’s central infrastructure and route stolen data through hardware they personally control. If law enforcement targets the operation, they hit the operator’s node first. The core platform stays protected behind that layer.
The panel supports multiple workers under a single licence. Permissions cover log access, build creation, and session restoration, so operators can divide responsibilities across a small team. A structured criminal operation can run on a single Storm subscription, which makes it commercially practical even at low price points.
Why the Storm Infostealer Is Hard to Detect
Session cookie theft has been replacing password theft as the main goal of credential malware for some time now. Passwords face stronger protection through hashing, MFA, and encryption. Sessions are often easier to access and more immediately useful to attackers. Storm is built around that shift. It also closes the gap between theft and exploitation faster than most stealers do.
Session-based attacks need no password. They trigger no failed-login alerts. An attacker who restores a hijacked session through a geographically matched proxy can appear, at first glance, like a normal user. Traditional endpoint tools watch for malicious behaviour on the victim’s device. Storm moves the most detectable part of the attack off that device entirely, and that is the gap it exploits.
Final Thoughts
The Storm infostealer marks a real change in how credential theft works. It removes decryption from the victim’s machine, which defeats the detection methods that endpoint security has refined over years. It also automates session restoration, so stolen data becomes active account access within minutes. For individuals, the steps are practical: stop saving sensitive credentials in your browser, use a dedicated password manager, and check active sessions on important accounts from time to time. For businesses, one compromised employee device can open access to cloud infrastructure and internal tools without a single failed login. Monitoring for session anomalies and unexpected geolocations is now just as important as watching for credential-based attacks. Storm is unlikely to be the last infostealer built this way.
