- Storm enables session hijacking that bypasses passwords and multi-factor authentication
- Attackers can restore stolen sessions remotely without triggering standard security alerts
- Malware works server-side to process encrypted browser credentials for stealth exploitation.
A new strain of infostealer malware called Storm is changing the way account compromise works, experts have warned.
New findings from Varonis Threat Labs have shown how this strain is moving away from passwords and focusing on session cookies that keep users logged in.
These cookies allow attackers to completely bypass login steps, including multi-factor authentication, which traditionally acts as a second layer of protection.
Article continues below
Session hijacking replaces passwords
Once a session is stolen, the attacker can access accounts as if they were the legitimate user without triggering standard authentication checks.
Storm collects browser data, including saved credentials, session cookies, autofill entries, and authentication tokens, and manages Chromium- and Gecko-based browsers on the server side, including Firefox, Waterfox, and Pale Moon, giving it broader coverage than competitors like StealC V2.
Unlike older tools, it avoids decrypting this information on the victim’s device and instead sends encrypted data to attacker-controlled servers for processing.
This approach reduces the visibility of endpoint security tools, which typically monitor suspicious activity on local systems.
Once the data is processed, attackers can restore sessions remotely using tools built into the malware’s control panel.
By combining stolen session tokens with proxy servers matching the victim’s location, attackers can log in without arousing the suspicion of security systems.
Storm is sold as a subscription service, reducing the barriers to entry for cybercrime by offering a comprehensive toolkit for data theft and account takeover.
Pricing tiers include a seven-day $300 demo, a $900 per month standard plan, and a $1,800 per month team license supporting up to 100 operators and 200 builds.
Even after a subscription expires, previously deployed malware continues to collect data, allowing continued exploitation at no additional cost.
At the time of the survey, the newspaper panel contained 1,715 entries covering India, the United States, Brazil, Indonesia, Ecuador, Vietnam and several other countries.
Credentials tagged to Google, Facebook, Twitter, Coinbase, Binance, Blockchain.com, and Crypto.com appear on multiple entries, a pattern that suggests active campaigns target both business and cryptocurrency accounts.
Beyond login sessions, the malware gathers documents, screenshots, messaging app data, and cryptocurrency wallet information.
This capability allows attackers to move laterally within systems, access sensitive files, and potentially turn attacks into broader compromises that impact entire organizations.
This development shows how techniques once associated with advanced attackers are becoming widely available through subscription services.
Organizations that rely solely on traditional endpoint protection should be concerned.
However, organizations with strong behavioral analytics and network monitoring may already have the visibility to detect the unusual traffic patterns that restoring stolen sessions inevitably creates.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
