Storm the infostealer that steals cookies and keeps sessions in the cloud

In early 2026 a new infostealer called Storm, and their arrival is not just that of another malicious program: it is an evolution in the way the attackers steal credentials and kidnap sessions. According to the analysis published by Varonis, Storm is offered as a service for monthly subscriptions and prices that, in its standard package, are below $1,000, offering operators the ability to collect credentials from browsers, session cookies, Google account tokens and cryptomoneda portfolios, and then send all those encrypted data to infrastructure controlled by the attacker for their decryption and subsequent exploitation ( analysis of Varonis).

To understand the importance of this change you have to go back to the classic mode of operation of the stealers. Traditionally, these tools tried to decipher credentials directly into the engaged machine, opening the local bases of browsers (e.g. using SQLite libraries) and manipulating local password stores. This local behavior - direct access to browser databases and the loading of decrypt bookstores - was one of the indicators that endpoint solutions began to detect effectively.

Over time the defenses evolved and the browser industry also introduced additional protections. An example cited by the researchers was the introduction of mechanisms that tie encryption keys to the browser's own application, which further made it difficult for local decryption without interacting with the browser process. The first attempts to avoid such a restriction involved injecting code into the browser process or abusing its debugging protocols, techniques that continued to leave a mark and could be detected by security tools. In the face of this, stealer developers changed tactics: they stopped trying to decrypt locally and began to send encrypted files to external servers for all treatment to occur outside the endpoint, thus eliminating many of the telemetries that EDR / AV uses to identify a theft of credentials.

Storm takes that idea one step further. According to the report, the project does decipher and server-side processing for both Chromium-based and Gecko-based browsers (Firefox, Waterfox, Pale Moon), while other families like StealC V2 still do part of the processing on the victim machine. The data repertoire that Storm collects is wide: saved passwords, session cookies, forms and autofill, Google tokens, card data, browsing history, documents from user directories and even application messaging sessions such as Telegram, Signal and Discord. It also includes desirable targets for cybercriminals, such as extensions and desktop applications of cryptomoneda coins, screenshots on multiple screens and system information collection. Much of this work is done in memory to reduce the possibility of detection.

One of the capabilities that makes Storm particularly dangerous is the automation of the next step to the collection: instead of giving buyers a flip-off of credentials and asking them to use them manually, the tool turns the decryption data into an operator panel and offers functions that facilitate the silent restoration of sessions. With a Google soda token and a SOCKS5 proxy whose geographical origin reasonably coincides with the victim, the panel can recreate the authenticated session without the need to enter passwords, making the cookie or the stolen token into persistent and reliable access. Previous investigations by Varonis, such as Cookie and SessionShark they had already shown how stolen cookies and tokens can make the additional authentication factor irrelevant and allow sustained access to cloud services.

As for architecture and operation, Storm proposes a model in which each operator connects its own virtual servers to the central infrastructure of the service, making the stolen data go first through nodes controlled by the buyers before reaching the backend. This topology complicates the actions of debugging by the security forces, because the complaints or blockages are first found with hosts controlled by the operator. The management panel includes functions oriented to criminal operations: control of equipment with granular permissions, automatic domain detection rules that label credentials by service (Google, Facebook, Twitter / X, cPanel, cryptomoneda exchanges) and mechanisms to prioritize objectives. The images of the panel analyzed by Varonis showed thousands of records from multiple countries and credentials associated with cryptomoneda, social media and cloud services exchanges, suggesting active and transactional campaigns where these data end up in credentials markets.

The commercial model is equally worrying from the perspective of accessibility: Storm is offered at different levels, including a short-term demo and standard monthly subscriptions for equipment, with prices that make it easier for small criminal groups to operate with sophisticated capabilities. In addition, the deployed compilations continue to work even when the operator's subscription expires, so the impact does not automatically disappear with the service cancellation.

Against this background, the defensive response must evolve. The approaches that are based only on the detection of local decryption activity or on the per- endpoint protection leave blind areas when processing occurs outside the compromised device. It is therefore essential to complement these defences with controls that protect sessions and detect abnormal use of credentials. Implement conditional access policies that require device integrity, location and risk checks before allowing sensitive actions, limit the duration and scope of soda tokens, and force re- authentication for critical operations helps reduce the operating window. Security teams should also prioritize log correlation and account and device behavior analysis to identify patterns such as login starting from locations incompatible with previous activity or session repetitions from unusual proxy. For reference to good session management practices, the community has resources such as the OWASP guide on session management ( OWASP Session Management Cheat Sheet) and NIST's identity recommendations ( NIST SP 800-63B).

At the operational level, it is appropriate to review network telemetry and egress to detect unusual shipments of encrypted files to external servers and connection patterns that indicate the use of newly provided proxy or VPS. Endpoints behaviour telemetry remains useful if it is expanded to identify related activities (e.g. processes that create many temporary files in memory, concurrent access to multiple browser profiles or screenshots that match recent access to sensitive accounts). The use of UEBA capabilities and anomaly-based detection can help to discover "legitimate" accesses that do not fit the account history and thus block or require additional verification. Microsoft and other suppliers publish guidelines on how to apply conditional access controls and protect tokens in business environments; these controls are complementary to perimeter and per- endpoint protection ( documentation of Azure AD Conditional Access).

The lesson for organizations is clear: the fact that a user has not changed his password or received a login failure notification does not imply that his session has not been compromised. The theft of cookies and tokens allows for side movements and persistent accesses without firing password alerts so the defenses should focus on both protecting the secrets and validating the context and integrity of each session. In practice, this means short-term policies and rotation for tokens, application of stricter access controls for critical resources, segmentation of privileges, monitoring of abnormal use of accounts and a response capacity that includes the invalidation of compromised sessions and the investigation of egress suspected nodes.

Storm is not an isolated case but the manifestation of a trend: the outsourcing of decipher work and the prioritization of session theft above direct password theft. In the face of this scenario, companies that rely only on the resistance of passwords and traditional endpoint controls will be at a disadvantage against attackers who are already marketing automation to restore stolen sessions. A modern defensive strategy must combine good identity management practices, adaptive access controls and advanced behavior monitoring to close the ways these tools exploit.

This article is based on the technical report published by Varonis on the infostealer Storm and previous research on cookies and tokens theft ( original report in Varonis, Cookie, SessionShark). The OWASP guide and the NIST publication mentioned above are available for further details on standards and recommendations on session management and authentication.