New 'Storm' Infostealer Bypasses Endpoint Detection via Server-Side Decryption

A new infostealer dubbed ‘Storm’ has surfaced in underground cybercrime forums, marking a significant evolution in credential theft tactics. According to Cyber Threat Intelligence, this malware offers a compelling package for less than $1,000 per month, allowing operators to exfiltrate browser credentials, session cookies, and cryptocurrency wallet data. Unlike older stealers that performed decryption locally on the victim’s machine – a process often flagged by endpoint security solutions – Storm sends encrypted data directly to the attacker’s servers for decryption.

This shift is a direct response to improvements in endpoint security and changes like Google’s App-Bound Encryption in Chrome. Previous bypass methods, such as injecting code into browsers or abusing debugging protocols, still left detectable traces. Storm circumvents this by moving the decryption process server-side, effectively disappearing from the compromised endpoint’s telemetry. Cyber Threat Intelligence notes that Storm supports both Chromium and Gecko-based browsers, a broader scope than some predecessors.

The data Storm collects is comprehensive, including saved passwords, session cookies, autofill information, Google account tokens, credit card details, and browsing history. This trove of information provides attackers with everything needed to hijack active user sessions remotely, bypass multi-factor authentication, and gain unauthorized access to sensitive accounts and services without needing to crack passwords directly.