- Storm enables session hijacking that bypasses passwords and multi-factor authentication
- Attackers can recover stolen sessions remotely without triggering standard security warnings
- Malware operates on the server side to process encrypted browser credentials for stealthy exploitation
A new strain of infostealer malware called Storm is changing how account compromise works, experts have warned.
New findings from Varonis Threat Labs have outlined how this strain is moving away from passwords and focusing on session cookies that keep users logged in.
These cookies enable attackers to bypass login steps entirely, including multi-factor authentication, which traditionally acts as a second layer of protection.
The article continues below
Session hijacking replaces passwords
Once a session is stolen, the attacker can access accounts as if they were the legitimate user without triggering standard authentication checks.
Storm collects browser data, including stored credentials, session cookies, autofill records, and authentication tokens, and handles both Chromium- and Gecko-based browsers on the server side, including Firefox, Waterfox, and Pale Moon, giving it wider coverage than rivals like StealC V2.
Unlike older tools, it avoids decrypting this information on the victim’s device and instead sends encrypted data to attacker-controlled servers for processing.
This approach reduces the visibility of endpoint security tools, which typically monitor suspicious activity on local systems.
Once the data is processed, attackers can recover sessions remotely using tools built into the malware’s control panel.
By combining stolen session tokens with proxy servers that match the victim’s location, attackers can log in without arousing the suspicion of security systems.
Storm is sold as a subscription service that lowers the barrier to entry for cybercrime by offering a complete toolkit for data theft and account hijacking.
Pricing tiers include a seven-day demo at $300, a standard plan at $900 per month and a team license of $1,800 per month, supporting up to 100 operators and 200 builds.
Even after a subscription expires, previously deployed malware continues to collect data, enabling ongoing exploitation at no additional cost.
At the time of the investigation, the log panel contained 1,715 records in India, the United States, Brazil, Indonesia, Ecuador, Vietnam, and several other countries.
Credentials tagged to Google, Facebook, Twitter, Coinbase, Binance, Blockchain.com, and Crypto.com appear across multiple records, a pattern that suggests active campaigns are targeting both business and cryptocurrency accounts.
In addition to login sessions, the malware collects documents, screenshots, messaging app data, and cryptocurrency wallet information.
This capability allows attackers to move laterally within systems, gain access to sensitive files, and potentially escalate attacks into broader compromises affecting entire organizations.
This development shows how techniques once associated with advanced attackers are becoming widely available through subscription-based services.
Organizations that rely solely on traditional endpoint protection should be concerned.
However, organizations with strong behavioral analytics and network monitoring may already have the necessary visibility to detect the unusual traffic patterns that recovering stolen sessions inevitably creates.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
