Skip to content
Tech News
← Back to articles

The silent “Storm”: New infostealer hijacks sessions, decrypts server-side

2026-04-13 | original
read original get Cybersecurity USB Security Stick → more articles
Why This Matters

The emergence of Storm signifies a major evolution in credential theft tactics, shifting from local decryption to server-side processing, which makes detection more challenging for security tools. This development increases the risk for enterprises and consumers by enabling more covert and efficient session hijacking and data theft, emphasizing the need for stronger security measures. As cybercriminals adapt to encryption protections, the industry must innovate to defend against these sophisticated attacks.

Key Takeaways

A new infostealer called Storm appeared on underground cybercrime networks in early 2026, representing a shift in how credential theft is developing. For under $1,000 a month, operators get a stealer that harvests browser credentials, session cookies, and crypto wallets, then quietly ships everything to the attacker's server for decryption.

To understand why enterprises should care, it helps to know what changed. Stealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly. Endpoint security tools got good at catching this, making local browser database access one of the clearest signs that something malicious was running.

Then Google introduced App-Bound Encryption in Chrome 127 (July 2024), which tied encryption keys to Chrome itself and made local decryption even harder. The first wave of bypasses involved injecting into Chrome or abusing its debugging protocol, but those still left traces that security tools could pick up.

Stealer developers responded by stopping local decryption altogether and shipping encrypted files to their own infrastructure instead, removing the telemetry most endpoint tools rely on to catch credential theft. Storm takes this approach further by handling both Chromium and Gecko-based browsers (Firefox, Waterfox, Pale Moon) server-side, where StealC V2 still processes Firefox locally.

Collected data includes everything attackers need to restore hijacked sessions remotely and steal from their victims: saved passwords, session cookies, autofill, Google account tokens, credit card data, and browsing history.

One compromised employee browser can hand an operator authenticated access to SaaS platforms, internal tools, and cloud environments without ever triggering a password-based alert.

Storm's forum listing

Cookie restore and session hijacking

Once Storm has decrypted the browser data, stolen credentials and session cookies are dumped directly into the operator's panel. Where most stealers require buyers to manually replay stolen logs, Storm automates the next step.

Feed in a Google Refresh Token and a geographically matched SOCKS5 proxy, and the panel silently restores the victim's authenticated session.

... continue reading

Explore topics: storm chrome firefox app-bound encryption infostealer
Related:
Google rolls out Gemini in Chrome in seven new countries
Google brings Gemini in Chrome to users in Australia, Japan, Singapore and South Korea
Google rolls out Gemini in Chrome in 7 new countries
Google brings Gemini in Chrome to users in Asia and the Pacific
WebUSB Extension for Firefox

© 2026 GoKawiil

About | Editorial Policy | Contact