Storm Infostealer Decrypts Credentials Server-Side

A new infostealer called Storm has emerged on underground markets with a technique that renders most endpoint security tools useless: it ships encrypted browser credentials to attacker infrastructure for decryption rather than attempting to crack them locally.

Security researchers at Varonis published their analysis this week, revealing how Storm evolved to bypass Chrome's App-Bound Encryption (ABE) protections introduced in version 127.

Why Server-Side Decryption Matters

Traditional infostealers had to decrypt stolen credentials on the victim's machine. That meant loading SQLite libraries, accessing Chrome's credential stores, and running decryption routines—all activities that endpoint detection tools learned to flag.

Chrome 127's App-Bound Encryption, released in July 2024, made local decryption significantly harder by tying encryption keys to Chrome itself. Many infostealers struggled with this change.

Storm's developers took a different path. Instead of fighting ABE on the endpoint, they simply exfiltrate the encrypted credential databases wholesale and decrypt them on infrastructure they control. The endpoint never sees suspicious decryption activity because it doesn't happen there.

This approach mirrors what we've seen with other infostealers bypassing browser protections—attackers adapt faster than defenders can deploy countermeasures.

What Storm Steals

The malware's target list is comprehensive:

• Browser data: Saved passwords, session cookies, autofill data, credit cards, and browsing history from both Chromium and Gecko-based browsers
• Google account tokens: Refresh tokens that allow session restoration
• Messaging apps: Session data from Telegram, Signal, and Discord
• Cryptocurrency: Wallet data from browser extensions and desktop applications
• Documents: Files from user directories
• System information: Screenshots and device details

Storm handles Firefox, Waterfox, and Pale Moon server-side as well—most stealers still process those locally, leaving forensic traces.

Memory-Only Execution

The malware runs entirely in memory to minimize forensic evidence. Daniel Kelley, senior security consultant at Varonis, noted that this design choice significantly reduces detection opportunities during incident response.

Combined with the server-side decryption model, defenders face a difficult challenge: the malicious activity that would traditionally trigger alerts happens somewhere else entirely.

Automated Session Hijacking

Storm includes an automation feature that goes beyond simple credential theft. By feeding stolen Google Refresh Tokens and geographically matched SOCKS5 proxies into their panel, attackers can silently restore victims' authenticated sessions without triggering location-based security alerts.

This capability makes account takeover trivial. The attacker appears to be logging in from the victim's approximate location using valid session tokens—exactly the kind of "legitimate" access that security tools struggle to distinguish from normal use.

Session hijacking has been the dominant attack vector for credential theft this year. We covered this trend in detail when analyzing how enterprise credentials appear on dark web markets within 48 hours of infection.

Scale of Operations

Varonis discovered 1,715 panel entries from victims in Brazil, Ecuador, India, Indonesia, the United States, and Vietnam. Targeted platforms include Google, Facebook, Coinbase, and Binance—a mix of personal accounts and financial services.

The geographic distribution suggests multiple affiliates operating the malware across different regions, consistent with Storm's Malware-as-a-Service (MaaS) model.

Pricing and Distribution

Storm sells for under $1,000 per month on underground cybercrime forums—relatively expensive compared to commodity stealers but competitive given its technical sophistication.

The MaaS model means less technical criminals can deploy Storm with minimal effort. Affiliates get access to a web panel for managing infections and extracting credentials, while the Storm developers handle infrastructure and updates.

This professionalization of malware distribution continues to lower the barrier to entry for credential theft operations.

Detection Challenges

Organizations face limited options for detecting Storm infections:

Traditional endpoint tools won't flag the credential theft because decryption happens elsewhere. Network monitoring might catch the exfiltration, but encrypted traffic to attacker infrastructure often blends with legitimate HTTPS connections.

The best indicators are behavioral: sudden appearance of new browser sessions from unusual locations, password reset requests the user didn't initiate, or unauthorized access to financial accounts.

For organizations concerned about infostealer threats, reviewing our online safety tips and implementing hardware security keys for critical accounts provides the strongest defense against session hijacking.

What This Means Going Forward

Storm represents an evolutionary step that other infostealers will likely follow. When defenders close one door—local credential decryption—attackers find another. Moving computation to attacker infrastructure is an obvious countermeasure, and Storm won't be the last malware to adopt it.

Browser vendors may need to reconsider their security models. App-Bound Encryption assumed decryption would happen locally. If credentials can be exfiltrated in encrypted form and decrypted elsewhere, the protection only adds minor friction to theft operations.

The cat-and-mouse continues.