- Storm enables session hijacking that bypasses passwords and multi-factor authentication
- Attackers can restore stolen sessions remotely without triggering standard security alerts
- Malware operates server-side to process encrypted browser credentials for stealthy exploitation
A new strain of infostealer malware dubbed Storm is changing how account compromise works, experts have warned.
New findings from Varonis Threat Labs have outlined how this strain moves away from passwords and focuses on session cookies that keep users logged in.
These cookies allow attackers to bypass login steps entirely, including multi-factor authentication, which traditionally acts as a second layer of protection.
Article continues below
Session hijacking replaces passwords
Once a session is stolen, the attacker can access accounts as if they were the legitimate user without triggering standard authentication checks.
Storm collects browser data, including saved credentials, session cookies, autofill entries, and authentication tokens, and handles both Chromium- and Gecko-based browsers on the server side, including Firefox, Waterfox, and Pale Moon, giving it broader coverage than rivals like StealC V2.
Unlike older tools, it avoids decrypting this information on the victim’s device and instead sends encrypted data to attacker-controlled servers for processing.
This approach reduces visibility for endpoint security tools, which typically monitor suspicious activity on local systems.
Once the data is processed, attackers can restore sessions remotely using tools built into the malware’s control panel.
By combining stolen session tokens with proxy servers that match the victim’s location, attackers can log in without raising suspicion from security systems.
Storm is sold as a subscription service, lowering the barrier to entry for cybercrime by offering a complete toolkit for data theft and account hijacking.
Pricing tiers include a $300 seven-day demo, a $900-per-month standard plan, and a $1,800-per-month team license that supports up to 100 operators and 200 builds.
Even after a subscription expires, previously deployed malware continues collecting data, allowing ongoing exploitation without additional cost.
At the time of the investigation, the logs panel contained 1,715 entries spanning India, the United States, Brazil, Indonesia, Ecuador, Vietnam, and several other countries.
Credentials tagged to Google, Facebook, Twitter, Coinbase, Binance, Blockchain.com, and Crypto.com appear across multiple entries, a pattern which suggests that active campaigns target both corporate and cryptocurrency accounts.
Beyond login sessions, the malware gathers documents, screenshots, messaging app data, and cryptocurrency wallet information.
This capability allows attackers to move laterally within systems, access sensitive files, and potentially escalate attacks into broader compromises that affect entire organizations.
This development shows how techniques once associated with advanced attackers are becoming widely accessible through subscription-based services.
Organizations that rely solely on traditional endpoint protection should be concerned.
However, organizations with strong behavioral analytics and network monitoring may already have the visibility needed to detect the unusual traffic patterns that stolen session restoration inevitably creates.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
