To understand the implications for enterprises, it's crucial to recognize the shift in methodology. Traditional stealers decrypted browser credentials locally, a process that endpoint security solutions became adept at detecting. This involved loading SQLite libraries and directly accessing credential stores, creating a clear indicator of malicious activity. However, with the introduction of **Google**'s App-Bound Encryption in **Chrome** 127 (July 2024), tying encryption keys to the browser itself, local decryption became significantly more challenging. Initial bypass attempts involved injecting into Chrome or abusing its debugging protocol, but these methods still left detectable traces. Stealer developers adapted by eliminating local decryption altogether, opting to ship encrypted files to their own infrastructure. This approach effectively circumvents the telemetry that many endpoint tools rely on to identify credential theft. **Storm** takes this strategy a step further by handling both Chromium and Gecko-based browsers (**Firefox**, **Waterfox**, **Pale Moon**) server-side, in contrast to tools like StealC V2, which still processes Firefox data locally. The data collected by **Storm** encompasses everything needed to hijack sessions remotely and steal from victims, including saved passwords, session cookies, autofill data, Google account tokens, credit card information, and browsing history. A single compromised employee browser can grant an attacker authenticated access to SaaS platforms, internal tools, and cloud environments without triggering traditional password-based alerts.  ## Cookie Restore and Session Hijacking Once **Storm** decrypts the browser data, stolen credentials and session cookies are presented directly in the operator's panel. Unlike many stealers that require manual replay of stolen logs, **Storm** automates the subsequent steps. By inputting a Google Refresh Token and a geographically matched SOCKS5 proxy, the panel silently restores the victim's authenticated session.  **Varonis** Threat Labs has previously investigated this class of attack. Their [Cookie-Bite](https://www.varonis.com/blog/cookie-bite?hsLang=en) research demonstrated how stolen **Azure** Entra ID session cookies can render MFA ineffective, granting attackers persistent access to **Microsoft 365** without requiring a password. The [SessionShark](https://www.varonis.com/blog/sessionshark?hsLang=en) analysis illustrated how phishing kits intercept session tokens in real-time to bypass Microsoft 365 MFA. Storm's cookie restore feature essentially productizes and sells this technique as a subscription service. ## Collection and Infrastructure Beyond credentials, **Storm** harvests documents from user directories, extracts session data from Telegram, Signal, and Discord, and targets cryptocurrency wallets via browser extensions and desktop applications. It captures system information and screenshots across multiple monitors, operating entirely in memory to minimize the risk of detection.  On the infrastructure front, operators connect their own virtual private servers (VPS) to **Storm**'s central servers, routing stolen data through infrastructure they control, rather than a shared platform. This approach shields the central servers from takedown attempts, as law enforcement or abuse reports initially target the operator's node. Team management capabilities allow for multiple workers with varying permissions for log access, build creation, and cookie restoration, enabling a single **Storm** license to support a small cybercriminal operation with clearly defined roles. Domain detection features automatically label stolen credentials by service, with pre-defined rules for Google, Facebook, Twitter/X, and cPanel, simplifying the process for operators to filter and prioritize accounts for exploitation.  ## Active Campaigns and Pricing During the investigation, the logs panel contained 1,715 entries spanning India, the US, Brazil, Indonesia, Ecuador, Vietnam, and several other countries. While it's difficult to ascertain whether all entries represent genuine victims or include test data, the varied IPs, ISPs, and data sizes suggest active campaigns. Credentials associated with Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com were observed across multiple entries, data that commonly surfaces on [credential marketplaces](https://www.varonis.com/blog/how-hackers-buy-access?hsLang=en), fueling account takeover, fraud, and initial access for more targeted intrusions.   **Storm** is offered on a tiered subscription basis: $300 for a 7-day demo, $900/month for the standard license, and $1,800/month for a team license that supports 100 operator seats and 200 builds. A crypter is required separately. Significantly, builds continue to operate even after a subscription expires, ensuring that deployed stealers continue to harvest data regardless of the operator's license status.  ## Detecting Stolen Sessions **Storm** reflects a broader trend in the stealer market. Server-side decryption allows attackers to bypass endpoint tools designed to detect traditional on-device decryption, and session cookie theft is increasingly replacing password theft as the primary objective. The credentials and sessions harvested by stealers like **Storm** represent the initial stage of an attack, leading to logins from unfamiliar locations, lateral movement, and data access patterns that deviate from established norms. ## Indicators of Compromise * **Forum handle:** StormStealer * **Forum ID:** 221756 * **Account registered:** 12/12/25 * **Current version:** v0.0.2.0 (Gunnar) * **Build characteristics:** C++ (MSVC/msbuild), ~460 KB, Windows only