CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Storm Infostealer Enables Server-Side Credential Decryption with Automated Session Hijacking

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new information stealer malware named Storm has been identified targeting browser credentials, session cookies, and cryptocurrency wallets by remotely decrypting stolen data on attacker-controlled infrastructure. Storm, active in underground markets since early 2026, bypasses modern encryption protections in browsers such as Google’s App-Bound Encryption (Chrome 127) by shifting decryption to remote servers instead of local processing. The malware automates session hijacking by feeding stolen Google Refresh Tokens and geographically matched SOCKS5 proxies into an operator panel, silently restoring authenticated sessions across SaaS platforms, internal tools, and cloud environments without triggering password alerts.

Timeline

  1. 02.04.2026 17:15 1 articles · 2h ago

    Storm Infostealer Introduces Remote Decryption and Automated Session Hijacking Capabilities

    A newly identified infostealer, Storm, has been observed in active campaigns since early 2026. The malware differentiates itself by remotely decrypting stolen credentials and session data on attacker infrastructure, bypassing local encryption protections introduced in browsers such as Chrome 127. Storm automates the restoration of victim sessions by integrating stolen Google Refresh Tokens with geographically matched SOCKS5 proxies in its operator panel, enabling silent hijacking of authenticated sessions across high-value targets without triggering password-based alerts. Data collection spans browser artifacts, cryptocurrency wallets, communication apps, and document stores, with all operations executed in memory to evade detection.

    Show sources
    Open in new tab

Information Snippets

  • Storm infostealer harvests browser credentials, session cookies, autofill data, Google account tokens, credit card details, browsing history, documents, system information, screenshots, and session data from Telegram, Signal, and Discord.

    First reported: 02.04.2026 17:15
    1 source, 1 article
    Show sources

  • Cryptocurrency wallets are targeted via both browser extensions and desktop applications, with all operations executed in memory to minimize detection.

    First reported: 02.04.2026 17:15
    1 source, 1 article
    Show sources

  • Storm processes Chromium and Gecko-based browser data (e.g., Firefox, Waterfox, Pale Moon) entirely server-side, unlike competitors such as StealC V2, which still decrypt locally for Firefox.

    First reported: 02.04.2026 17:15
    1 source, 1 article
    Show sources

  • Stolen data includes Google Refresh Tokens and session data, enabling automated restoration of victim sessions via attacker-controlled panels using matched SOCKS5 proxies.

    First reported: 02.04.2026 17:15
    1 source, 1 article
    Show sources

  • Storm is offered as a subscription service priced below $1,000 per month on underground markets.

    First reported: 02.04.2026 17:15
    1 source, 1 article
    Show sources

  • Varonis researchers identified 1,715 entries from multiple countries (Brazil, Ecuador, India, Indonesia, US, Vietnam), with observed data including high-value platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com.

    First reported: 02.04.2026 17:15
    1 source, 1 article
    Show sources