Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm infostealer server-side decryption activity

Malware Activity
First reported
Last updated
Happening score
H score 18
2 unique sources, 2 articles

Summary

Hide ▲

The Storm infostealer now steals browser credentials, session cookies, and crypto wallets and forwards them to attacker infrastructure for server-side decryption, raising the risk of session hijacking and account takeover. It also targets Telegram, Signal, Discord, and browser-stored tokens, making compromised endpoints a gateway to cloud and SaaS access.

Related Happenings

Bluekit adopts rrweb-based BitM session streaming for login theft

Technical Analysis
H score34 First: 25.06.2026 18:00 Last: 25.06.2026 18:00 Sources 1

About this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

FROST browser SSD timing side channel via OPFS

Technical Analysis
H score16 First: 09.06.2026 12:50 Last: 09.06.2026 12:50 Sources 1

About this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...

Google Chrome DBSC rolls out session-cookie theft protection for all users

Security Tool/Service
H score10 First: 29.05.2026 15:08 Last: 29.05.2026 15:08 Sources 1

About this happening: Google's **Chrome Device Bound Session Credentials (DBSC)** is now **generally available** and rolling out to **all users**, reducing the risk of **account takeovers** from stolen...

Timeline

  1. 01.04.2026 03:00 2 articles · 3mo ago

    Varonis discloses Storm server-side decryption infostealer

    Initial Disclosure

    Varonis discloses Storm, an infostealer that emerged on underground cybercrime networks in early 2026 and steals browser credentials, session cookies, crypto wallets, documents, screenshots, and messaging-session data before shipping encrypted files to attacker infrastructure for server-side decryption. The malware handles both Chromium and Gecko-based browsers, targets Telegram, Signal, Discord, and browser extensions and desktop apps for wallets, and can silently restore authenticated sessions with a Google Refresh Token plus a geographically matched SOCKS5 proxy. The investigation also found 1,715 entries linked to activity across multiple countries, indicating ongoing malicious campaigns.

    Show sources