New “Storm” Infostealer Hijacks Browser Sessions and Decrypts Credentials Server‑Side
What Happened – A novel infostealer dubbed Storm surfaced in early 2026, offering a subscription service that harvests browser passwords, session cookies, crypto‑wallet keys and other autofill data, then ships the encrypted payload to the attacker’s infrastructure for server‑side decryption. The tool supports Chromium‑based (Chrome, Edge) and Gecko‑based (Firefox, Waterfox, Pale Moon) browsers and can automatically restore authenticated sessions using Google refresh tokens and SOCKS5 proxies.
Why It Matters for TPRM –
- Enables persistent, password‑less access to SaaS, cloud and internal applications, bypassing MFA alerts.
- Bypasses traditional endpoint‑based detection that relies on local decryption of browser stores.
- Sold as a low‑cost “as‑a‑service” offering, increasing the likelihood of widespread adoption by low‑skill threat actors.
Who Is Affected – Enterprises across all sectors that rely on web browsers for SaaS access, especially those using Chrome 127+ or Firefox with App‑Bound Encryption.
Recommended Actions –
- Review third‑party risk for any vendors providing browser‑based authentication or session‑management services.
- Enforce strict MFA and conditional‑access policies that invalidate sessions on anomalous IP/geography.
- Deploy behavioral analytics that monitor abnormal outbound encrypted traffic from endpoints.
- Ensure endpoint protection can detect credential‑stealing payloads even when decryption occurs remotely.
Technical Notes – Storm replaces local SQLite decryption with server‑side processing, eliminating the telemetry that most EDR tools flag. It collects: saved passwords, session cookies, autofill data, Google account tokens, credit‑card numbers and browsing history. Attack delivery is not detailed but is typical of malicious download or phishing‑kit distribution. Source: BleepingComputer