New Storm Infostealer Emerges as a Stealthy Threat to Browser and Crypto Security
Security researchers at Varonis have identified Storm, a sophisticated infostealer malware that harvests browser credentials, session cookies, and cryptocurrency wallets before exfiltrating encrypted data to attacker-controlled servers. First observed on underground cybercrime forums in early 2026, Storm represents an evolution in credential theft tactics, bypassing traditional detection methods.
Unlike earlier infostealers that decrypted data locally making them vulnerable to endpoint security tools Storm avoids detection by transmitting encrypted files to remote infrastructure for decryption. This approach circumvents protections like Google’s App-Bound Encryption (introduced in Chrome 127 in July 2024), which previously forced attackers to rely on detectable methods such as Chrome injection or debugging protocol abuse.
Storm targets both Chromium-based (Chrome, Edge) and Gecko-based browsers (Firefox, Waterfox, Pale Moon), extracting saved passwords, session cookies, autofill data, Google account tokens, credit card details, and browsing history. It also captures system information, screenshots, and session data from messaging apps like Telegram, Signal, and Discord, while targeting crypto wallets via browser extensions and desktop applications. All operations run in memory to minimize forensic traces.
A key feature of Storm is its automation: rather than requiring manual replay of stolen logs, it uses Google Refresh Tokens and geographically matched SOCKS5 proxies to silently restore authenticated sessions, granting attackers access to SaaS platforms, internal tools, and cloud environments without triggering password-based alerts.
Available for under $1,000 per month, Storm has already compromised victims across multiple countries, including Brazil, Ecuador, India, Indonesia, the U.S., and Vietnam. Varonis identified 1,715 entries in attacker panels, though some may include test data. The stolen credentials span high-value platforms such as Google, Facebook, Twitter/X, Coinbase, Binance, and Crypto.com data commonly sold on credential marketplaces for account takeovers, fraud, and further cyber intrusions.
Source: https://www.infosecurity-magazine.com/news/storm-infostealer-remotely/
Meta cybersecurity rating report: https://www.rankiteo.com/company/meta
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
Crypto.com cybersecurity rating report: https://www.rankiteo.com/company/cryptocom
"id": "METMICCRY1775140151",
"linkid": "meta, microsoft-threat-intelligence, cryptocom",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,715 entries in attacker '
'panels (some may include test '
'data)',
'industry': ['Technology', 'Finance', 'Cryptocurrency'],
'location': ['Brazil',
'Ecuador',
'India',
'Indonesia',
'U.S.',
'Vietnam'],
'type': 'Individuals and organizations'}],
'attack_vector': 'Malware distribution (underground cybercrime forums)',
'data_breach': {'data_encryption': 'Data encrypted during exfiltration to '
'bypass detection',
'data_exfiltration': 'Encrypted data transmitted to '
'attacker-controlled servers for '
'decryption',
'number_of_records_exposed': '1,715 entries (some may include '
'test data)',
'personally_identifiable_information': 'Yes (saved passwords, '
'autofill data, credit '
'card details, Google '
'account tokens)',
'sensitivity_of_data': 'High (PII, financial data, '
'authentication tokens, crypto wallet '
'data)',
'type_of_data_compromised': ['Browser credentials',
'Session cookies',
'Autofill data',
'Google account tokens',
'Credit card details',
'Browsing history',
'System information',
'Screenshots',
'Messaging app session data',
'Cryptocurrency wallet data']},
'date_detected': '2026-01-01',
'description': 'Security researchers at Varonis have identified *Storm*, a '
'sophisticated infostealer malware that harvests browser '
'credentials, session cookies, and cryptocurrency wallets '
'before exfiltrating encrypted data to attacker-controlled '
'servers. Storm bypasses traditional detection methods by '
'transmitting encrypted files to remote infrastructure for '
'decryption, avoiding protections like Google’s *App-Bound '
'Encryption*. It targets Chromium- and Gecko-based browsers, '
'extracting saved passwords, session cookies, autofill data, '
'Google account tokens, credit card details, and browsing '
'history. It also captures system information, screenshots, '
'and session data from messaging apps and crypto wallets. '
'Storm uses automation to restore authenticated sessions via '
'Google Refresh Tokens and SOCKS5 proxies, enabling silent '
'access to SaaS platforms and cloud environments.',
'impact': {'data_compromised': 'Browser credentials, session cookies, '
'autofill data, Google account tokens, credit '
'card details, browsing history, system '
'information, screenshots, messaging app '
'session data, cryptocurrency wallet data',
'identity_theft_risk': 'High (PII, financial data, and '
'authentication tokens compromised)',
'operational_impact': 'Unauthorized access to SaaS platforms, '
'internal tools, and cloud environments',
'payment_information_risk': 'High (credit card details and crypto '
'wallet data exposed)',
'systems_affected': 'Chromium-based browsers (Chrome, Edge), '
'Gecko-based browsers (Firefox, Waterfox, Pale '
'Moon), crypto wallet extensions, desktop '
'applications (Telegram, Signal, Discord)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (credentials sold on '
'credential marketplaces)',
'high_value_targets': ['Google',
'Facebook',
'Twitter/X',
'Coinbase',
'Binance',
'Crypto.com']},
'investigation_status': 'Ongoing (researchers at Varonis identified the '
'threat)',
'motivation': 'Financial gain (credential theft, fraud, account takeovers, '
'crypto wallet compromise)',
'post_incident_analysis': {'root_causes': 'Evolution in infostealer tactics '
'(remote decryption to bypass '
'endpoint security), availability '
'of Storm on underground forums for '
'$1,000/month'},
'references': [{'source': 'Varonis'}],
'response': {'third_party_assistance': 'Varonis (security researchers)'},
'title': 'New Storm Infostealer Emerges as a Stealthy Threat to Browser and '
'Crypto Security',
'type': 'Infostealer Malware',
'vulnerability_exploited': 'Bypassing Google’s *App-Bound Encryption* and '
'endpoint security tools via remote decryption'}