New 'Storm' Infostealer Remotely Decrypts Stolen Credentials to Evade Endpoint Defenses
Researchers at Varonis have uncovered a new infostealer called Storm that exfiltrates encrypted browser data to attacker-controlled servers for remote decryption, bypassing endpoint security tools that flag local decryption attempts.
Security researchers at Varonis have uncovered a new information stealer malware strain called Storm that harvests browser credentials, session cookies, and crypto wallets before quietly sending everything to the attacker's server for decryption. Unlike traditional infostealers that decrypt stolen data on the victim's machine, Storm exfiltrates encrypted files to remote infrastructure, bypassing endpoint security tools that have learned to flag local decryption behavior. The malware has been active since early 2026 and is sold on underground cybercrime networks for under $1,000 per month.
According to Daniel Kelley, a senior security consultant at Varonis and author of a report published on April 1, Storm represents a significant shift in how credential theft is evolving. Traditional infostealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly, but endpoint security tools adapted to detect such malicious activity. The introduction of Google's App-Bound Encryption in Chrome 127 (July 2024) made local decryption even harder by tying encryption keys to Chrome itself. The first wave of bypasses involved injecting into Chrome or abusing its debugging protocol, but those methods still left traces that security tools could pick up.
Storm takes a fundamentally different approach by shipping encrypted files to its own infrastructure instead of decrypting them locally. Kelley noted that Storm handles both Chromium and Gecko-based browsers (Firefox, Waterfox, Pale Moon) server-side, whereas other stealers like StealC V2 still process Firefox locally. This server-side decryption model allows Storm to evade detection mechanisms that monitor for local credential access patterns, making it particularly dangerous for enterprise environments.
The data collected after infection includes everything attackers need to restore hijacked sessions remotely and steal from victims: saved passwords, session cookies, autofill data, Google account tokens, credit card information, and browsing history. "One compromised employee browser can hand an operator authenticated access to SaaS platforms, internal tools, and cloud environments without ever triggering a password-based alert," Kelley wrote. Additionally, Storm steals documents from user directories, captures system information and screenshots, pulls session data from Telegram, Signal, and Discord, and targets crypto wallets through both browser extensions and desktop apps. Everything runs in memory to reduce the chance of detection.
While most stealers require buyers to manually replay stolen logs in their operator's panel, Storm automates the next step by feeding in a Google Refresh Token and a geographically matched SOCKS5 proxy so that the panel silently restores the victim's authenticated session. This automation enables attackers to maintain persistent access to compromised accounts without raising alarms. The stolen credentials cover a range of high-value platforms, including Google, Facebook, Twitter/X, Coinbase, Binance, Blockchain.com, and Crypto.com.
During the investigation, Varonis found 1,715 entries originating from multiple countries, including Brazil, Ecuador, India, Indonesia, the United States, and Vietnam. While it is difficult to confirm whether all entries represent real victims or include test data, the diverse IP addresses, ISPs, and data sizes suggest the presence of active malicious campaigns. This type of compromised data is commonly traded on credential marketplaces, where it is used for account takeovers, fraud, and as an entry point for more targeted cyber intrusions.
The emergence of Storm highlights the ongoing arms race between malware developers and security vendors. By moving decryption off the endpoint, Storm defeats a key detection technique that many security tools rely on. Organizations should ensure that endpoint detection and response (EDR) systems are configured to monitor for unusual outbound data transfers and anomalous network connections, in addition to local process behavior. The low price point of Storm also lowers the barrier to entry for less sophisticated cybercriminals, potentially expanding the pool of threat actors capable of conducting credential theft campaigns.