Storm infostealer enables server-side decryption and automated session hijacking across browsers and applications

First reported

13.04.2026 17:05

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A newly observed infostealer named Storm has been deployed in early 2026, providing cybercriminals with a subscription-based tool that exfiltrates browser credentials, session cookies, cryptocurrency wallet data, and application sessions while avoiding local decryption artifacts that endpoint security tools traditionally detect. Storm automatically restores authenticated sessions using stolen tokens via a central operator panel, enabling persistent access to SaaS platforms, cloud environments, and internal tools without triggering multi-factor authentication or password-based alerts. The malware targets Chromium and Gecko-based browsers, messaging apps, documents, and system artifacts, all processed server-side to evade detection. Operators deploy the tool via compromised or purchased infrastructure, managing multiple workers and builds under a unified control panel. At least 1,715 entries were observed in the operator panel, spanning multiple countries and services commonly associated with account takeover and initial access operations.

Timeline

13.04.2026 17:05 1 articles · 3h ago

Storm infostealer enables server-side decryption and automated session hijacking across browsers and applications
A new infostealer named Storm began circulating in early 2026, offering a subscription-based service that exfiltrates browser credentials, session cookies, and cryptocurrency wallet data to attacker-controlled servers for server-side decryption. The malware automates session restoration using stolen tokens, enabling silent hijacking of authenticated sessions on SaaS platforms, cloud environments, and internal tools without triggering MFA or password alerts. Storm targets Chromium and Gecko-based browsers, messaging apps (Telegram, Signal, Discord), cryptocurrency wallets, documents, and system information, while operating primarily in memory to evade detection. Operators manage multiple workers and builds through a unified panel, with builds maintaining data collection even after subscription expiration.
Show sources

The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
Open in new tab

Information Snippets

Storm infostealer emerged in early 2026 with a subscription pricing model starting at $900 per month for the standard tier.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
Storm exfiltrates browser-stored data including saved passwords, session cookies, autofill data, Google account tokens, credit card details, and browsing history from Chromium and Gecko-based browsers.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
Collected data is shipped encrypted to attacker-controlled servers for server-side decryption, avoiding on-device decryption artifacts that endpoint security tools typically detect.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
The operator panel automates session restoration using stolen Google Refresh Tokens and geographically matched SOCKS5 proxies, enabling silent hijacking of authenticated sessions without password re-entry or MFA prompts.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
Storm targets Telegram, Signal, Discord, and multiple cryptocurrency wallets via browser extensions and desktop applications, alongside documents and system information including screenshots.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
Operators manage multiple workers and builds under a tiered subscription system, with a team license supporting up to 100 operator seats and 200 builds at $1,800 per month.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
Deployed builds continue harvesting data even after the subscription expires, maintaining persistence of the infostealer on compromised systems.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05
At least 1,715 entries were observed in the operator panel across India, the US, Brazil, Indonesia, Ecuador, Vietnam, and other countries, with credentials tagged to Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com.
First reported: 13.04.2026 17:05

1 source, 1 article
Show sources
- The silent “Storm”: New infostealer hijacks sessions, decrypts server-side — www.bleepingcomputer.com — 13.04.2026 17:05