Storm malware turns browser theft into access

Security researchers at Varonis have identified a new infostealer dubbed Storm that appears to mark a more polished phase in credential theft, using server-side decryption to extract browser passwords, session cookies, crypto-wallet data and other sensitive material while avoiding many of the on-device traces that endpoint tools have grown used to flagging. The malware was observed on underground forums in early 2026 and is being sold as a subscription service, underscoring how credential theft is becoming more commercialised, modular and easier for lower-skilled operators to deploy.

What makes Storm stand out is not simply the data it steals, but how it handles it. Earlier generations of stealers often decrypted browser databases on the victim’s machine, a step that defenders could monitor because it left identifiable telemetry. Storm instead ships encrypted browser files to attacker-controlled infrastructure for decryption, shrinking the local footprint. Varonis says the malware can process both Chromium-based browsers and Gecko-based browsers such as Firefox, Waterfox and Pale Moon on the server side, while also pulling saved passwords, session cookies, autofill data, Google account tokens, payment details and browsing history.

That matters because browser theft is no longer just about collecting usernames and passwords for resale. Session cookies and active tokens can let attackers step directly into an authenticated account, bypassing the friction of password resets or multi-factor authentication challenges. Varonis says Storm’s operator panel can take a Google refresh token and a geographically matched SOCKS5 proxy to restore a victim’s session quietly, turning a stolen browser profile into immediate access to cloud services, internal tools and software platforms. Researchers have been warning for some time that stolen session cookies can make MFA largely irrelevant once the session itself has been hijacked.

Storm also arrives in a market already reshaped by Google’s browser hardening. Google introduced Application-Bound Encryption in Chrome 127 in July 2024 on Windows to tie protected data more closely to the browser’s identity, making it harder for malware running as the logged-in user to decrypt cookies locally. Google said at the time that the protection would begin with cookies and later expand to passwords, payment data and other persistent authentication tokens. Security firms tracking the wider stealer ecosystem have since documented how malware developers responded with fresh bypass methods, including remote debugging and direct memory extraction. Against that backdrop, Storm’s server-side model looks less like an isolated innovation than the next logical step in a contest between browser makers and credential thieves.

Commercial details strengthen that reading. Varonis says Storm is sold in tiers priced at $300 for a seven-day demo, $900 a month for a standard licence and $1,800 a month for a team package supporting up to 100 operator seats and 200 builds, with a crypter required separately. The platform is also structured to support a small criminal workforce, with permissions for multiple workers and the use of attacker-controlled virtual private servers that route stolen data through separate nodes before it reaches central infrastructure. That design can make takedowns harder because abuse complaints or law-enforcement pressure may hit the operator’s rented node before the service core. Microsoft has separately warned that threat actors are increasingly shifting toward covert, decentralised infrastructure and treating initial access as a staged process rather than a single event.

Storm’s emergence also fits a broader statistical trend. Flashpoint said in its 2026 global threat report that infostealers infected more than 11.1 million machines in 2025, yielding roughly 3.3 billion stolen credentials and cloud tokens. Flare, analysing 18.7 million infostealer logs from 2025, said more than one in 10 infections already exposed enterprise single sign-on or identity-provider credentials, while preliminary late-2025 data showed enterprise identity exposure rising to 16% of infections. Flare warned that, if the pattern continues, one in five infostealer infections could expose enterprise credentials by the third quarter of 2026. Those numbers suggest the economic value of a single infection is rising even if raw infection counts do not always move in the same direction.