The Silent “Storm”: New Infostealer Hijacks Sessions, Decrypts Server-Side

The emergence of Storm marks a pivotal evolution in the infostealer ecosystem. After Google introduced App‑Bound Encryption in Chrome 127, traditional on‑device decryption became noisy and easily spotted by security solutions. Stealer developers responded by shifting the heavy‑lifting to remote servers, a move that erases the tell‑tale SQLite accesses that endpoint tools monitor. Storm extends this model across both Chromium and Gecko browsers, delivering encrypted payloads to a command‑and‑control infrastructure where they are decrypted, packaged, and presented to buyers via a web panel. This architecture not only reduces the malware’s footprint on the victim machine but also complicates forensic attribution, as the critical decryption step occurs off‑premises.

For enterprises, the danger lies in the automation of session hijacking. Storm’s panel can ingest a stolen Google refresh token, pair it with a location‑matched SOCKS5 proxy, and instantly resurrect a fully authenticated browser session without triggering password‑change alerts. Coupled with harvested cookies from platforms like Microsoft 365, Azure Entra ID, and major crypto exchanges, attackers gain unfettered, MFA‑bypassed access to internal tools, cloud workloads, and financial services. A single compromised employee device can thus become a launchpad for lateral movement, data exfiltration, and ransomware deployment, amplifying the impact far beyond traditional credential theft.

Detecting Storm requires a shift from signature‑based alerts to behavior‑centric monitoring. Since the malware performs no local decryption, traditional file‑access heuristics miss it; instead, security teams should focus on anomalous outbound traffic to unknown VPS endpoints, unusual bulk uploads of browser databases, and rapid creation of new session tokens. Integrating threat‑intel feeds that flag Storm’s infrastructure identifiers, alongside continuous authentication analytics that flag impossible‑travel or token reuse, can surface the hidden footholds. Organizations that adapt their detection stack to these server‑side tactics will be better positioned to thwart the next wave of credential‑as‑a‑service operations.