Storm infostealer server-side decryption activity
Malware Activity
Summary
Hide ▲
Show ▼
The Storm infostealer now steals browser credentials, session cookies, and crypto wallets and forwards them to attacker infrastructure for server-side decryption, raising the risk of session hijacking and account takeover. It also targets Telegram, Signal, Discord, and browser-stored tokens, making compromised endpoints a gateway to cloud and SaaS access.
Related Happenings
Discord defaults voice and video calls to end-to-end encryption
Security Tool/Service
First: 19.05.2026 23:37
Last: 19.05.2026 23:37
Sources 1
About this happening:
**Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Discord defaults voice and video calls to end-to-end encryption
Security Tool/ServiceAbout this happening: **Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...
Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
First: 19.05.2026 22:35
Last: 19.05.2026 22:35
Sources 1
About this happening:
The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Storm-2949 Microsoft 365 and Azure data-theft campaign
CampaignAbout this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical Analysis
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
Gremlin stealer adds .NET Resource and XOR obfuscation to evade static analysis
Technical AnalysisAbout this happening: The latest **Gremlin stealer** build adds **.NET Resource** payload hiding and **XOR encoding** to evade static analysis, making detection and triage harder. The malware also expa...
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
Timeline
-
01.04.2026 03:00 2 articles · 1mo ago
Varonis discloses Storm server-side decryption infostealer
Initial DisclosureVaronis discloses Storm, an infostealer that emerged on underground cybercrime networks in early 2026 and steals browser credentials, session cookies, crypto wallets, documents, screenshots, and messaging-session data before shipping encrypted files to attacker infrastructure for server-side decryption. The malware handles both Chromium and Gecko-based browsers, targets Telegram, Signal, Discord, and browser extensions and desktop apps for wallets, and can silently restore authenticated sessions with a Google Refresh Token plus a geographically matched SOCKS5 proxy. The investigation also found 1,715 entries linked to activity across multiple countries, indicating ongoing malicious campaigns.
Show sources
- New 'Storm' Infostealer Remotely Decrypts Stolen Credentials — www.infosecurity-magazine.com — 02.04.2026 17:15
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05