The new Storm infostealer malware bypasses passwords and multi-factor authentication by hijacking active session cookies, allowing attackers to access corporate and cryptocurrency accounts without triggering standard security alerts.

Key Points

• Storm malware exfiltrates encrypted browser data to remote servers for processing, effectively evading local endpoint security detection.
• The malware supports both Chromium- and Gecko-based browsers, including Firefox, Waterfox, and Pale Moon.
• Attackers use stolen session tokens combined with proxy servers to mimic victim locations and avoid suspicious login flags.
• The software is sold as a subscription service with pricing ranging from a $300 weekly demo to $1,800 monthly team licenses.
• Varonis Threat Labs identified active campaigns targeting major platforms like Google, Facebook, Coinbase, and Binance across multiple global regions.

Why it Matters

This shift toward session hijacking highlights a critical vulnerability in relying solely on traditional password and multi-factor authentication protocols. Organizations must now prioritize behavioral analytics and network monitoring to detect the anomalous traffic patterns generated when attackers restore stolen sessions.