Storm infostealer server-side decryption activity
Malware Activity
Summary
Hide ▲
Show ▼
The Storm infostealer now steals browser credentials, session cookies, and crypto wallets and forwards them to attacker infrastructure for server-side decryption, raising the risk of session hijacking and account takeover. It also targets Telegram, Signal, Discord, and browser-stored tokens, making compromised endpoints a gateway to cloud and SaaS access.
Related Happenings
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
H score34
First: 25.06.2026 18:00
Last: 25.06.2026 18:00
Sources 1
About this happening:
**Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical AnalysisAbout this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
FROST browser SSD timing side channel via OPFS
Technical Analysis
H score16
First: 09.06.2026 12:50
Last: 09.06.2026 12:50
Sources 1
About this happening:
**FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
FROST browser SSD timing side channel via OPFS
Technical AnalysisAbout this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/Service
H score10
First: 29.05.2026 15:08
Last: 29.05.2026 15:08
Sources 1
About this happening:
Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Google Chrome DBSC rolls out session-cookie theft protection for all users
Security Tool/ServiceAbout this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...
Timeline
-
01.04.2026 03:00 2 articles · 3mo ago
Varonis discloses Storm server-side decryption infostealer
Initial DisclosureVaronis discloses Storm, an infostealer that emerged on underground cybercrime networks in early 2026 and steals browser credentials, session cookies, crypto wallets, documents, screenshots, and messaging-session data before shipping encrypted files to attacker infrastructure for server-side decryption. The malware handles both Chromium and Gecko-based browsers, targets Telegram, Signal, Discord, and browser extensions and desktop apps for wallets, and can silently restore authenticated sessions with a Google Refresh Token plus a geographically matched SOCKS5 proxy. The investigation also found 1,715 entries linked to activity across multiple countries, indicating ongoing malicious campaigns.
Show sources
- New 'Storm' Infostealer Remotely Decrypts Stolen Credentials — www.infosecurity-magazine.com — 02.04.2026 17:15
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05