Cybersecurity researchers at Varonis have identified a sophisticated new infostealer called Storm that bypasses traditional security tools by decrypting stolen browser credentials and session tokens on remote servers.

Key Points

• The Storm malware collects passwords, session cookies, crypto wallets, and Google account tokens from both Chromium and Gecko-based browsers.
• Unlike conventional malware that decrypts data locally, Storm sends encrypted information to attacker-controlled servers to evade endpoint detection.
• Google introduced App-Bound Encryption in Chrome 127 to hinder local decryption, prompting attackers to develop this server-side processing method.
• Storm is currently available for purchase on the dark web for less than $1,000 per month, increasing its accessibility to cybercriminals.
• Security experts recommend regularly clearing browser cookies, using dedicated password managers, and maintaining updated security software to mitigate infection risks.

Why it Matters

This development represents a significant shift in malware tactics that renders many traditional endpoint security tools ineffective against credential theft. By moving the decryption process to remote infrastructure, attackers can bypass modern browser protections and potentially hijack authenticated user sessions even when two-factor authentication is enabled.