- Storm enables session hijacking that bypasses passwords and multi-factor authentication
- Attackers can restore stolen sessions remotely without triggering standard security alerts
- Malware operates on the server side to process encrypted browser credentials for stealthy exploitation
Experts have warned that a new strain of data-stealing malware called Storm is changing the way account compromise works.
New findings from Varonis Threat Labs have described how this strain moves away from passwords and focuses on session cookies that keep users logged in.
These cookies allow attackers to completely bypass login steps, including multi-factor authentication, which traditionally acts as a second layer of protection.
Article continues below.
Session hijacking replaces passwords
Once a session is stolen, the attacker can access the accounts as if they were the legitimate user without triggering standard authentication checks.
Storm collects browser data, including saved credentials, session cookies, autofill entries, and authentication tokens, and handles Chromium and Gecko-based browsers on the server side, including Firefox, Waterfox, and Pale Moon, giving it broader coverage than rivals like StealC V2.
Unlike older tools, it avoids decrypting this information on the victim’s device and instead sends encrypted data to servers controlled by the attacker for processing.
This approach reduces the visibility of endpoint security tools, which typically monitor suspicious activity on local systems.
Once the data is processed, attackers can restore sessions remotely using tools built into the malware’s control panel.
By combining stolen session tokens with proxies that match the victim’s location, attackers can log in without raising the suspicion of security systems.
Storm is sold as a subscription service, lowering the barrier to entry for cybercrime by offering a comprehensive set of tools for data theft and account hijacking.
Pricing tiers include a $300 seven-day demo, a $900 per month standard plan, and a $1,800 per month team license that supports up to 100 traders and 200 builds.
Even after a subscription expires, previously deployed malware continues to collect data, allowing for continued exploitation at no additional cost.
At the time of the investigation, the log panel contained 1,715 entries spanning India, the United States, Brazil, Indonesia, Ecuador, Vietnam, and several other countries.
Credentials tagged to Google, Facebook, Twitter, Coinbase, Binance, Blockchain.com, and Crypto.com appear in multiple entries, a pattern that suggests active campaigns are targeting both corporate accounts and cryptocurrency accounts.
Beyond login sessions, the malware collects documents, screenshots, messaging app data, and cryptocurrency wallet information.
This capability allows attackers to move laterally within systems, access sensitive files, and potentially escalate attacks to broader compromises affecting entire organizations.
This development shows how techniques once associated with advanced attackers are becoming widely accessible through subscription-based services.
Organizations that rely solely on traditional endpoint protection should be concerned.
However, organizations with robust behavioral analytics and network monitoring may already have the visibility necessary to detect the unusual traffic patterns that restoring stolen sessions inevitably creates.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
