Storm Infostealer Decrypts Stolen Credentials Server-Side to Evade Detection

A new infostealer called Storm has been making rounds on underground cybercrime forums since late 2025, and it represents a meaningful evolution in how credential theft operates. The key innovation: Storm ships encrypted browser data to attacker infrastructure for decryption, completely bypassing the endpoint telemetry that security tools rely on to catch this behavior.

Traditional infostealers decrypt credentials on the victim's machine by loading SQLite libraries and accessing Chrome's credential store directly. Endpoint detection tools got good at flagging this—it's noisy and predictable. Storm takes a different approach.

How Server-Side Decryption Works

According to Bleeping Computer's technical analysis, Storm grabs encrypted browser database files and ships them wholesale to the operator's infrastructure. The decryption happens server-side, on hardware the defender can't see or monitor.

This approach removes "the clearest signs that something malicious was running" from the victim's endpoint. No suspicious DLL loads, no credential store access patterns, no SQLite library activity. The malware just copies files and exfiltrates them—behavior that's much harder to distinguish from legitimate backup or sync operations.

Storm handles both Chromium-based browsers (Chrome, Edge, Brave) and Gecko-based browsers (Firefox, Waterfox, Pale Moon) through this server-side processing.

Stolen Data Categories

The stealer harvests a comprehensive dataset:

• Saved passwords and session cookies
• Autofill data and Google account tokens
• Credit card information stored in browsers
• Browsing history
• Telegram, Signal, and Discord session data
• Cryptocurrency wallets (browser extensions and desktop apps like Coinbase, Binance)
• Documents from user directories
• Multi-monitor screenshots
• System information and hardware fingerprints

All collection executes in-memory to further reduce detection surface.

Session Hijacking Defeats MFA

This is where Storm gets particularly dangerous. The platform automates post-exploitation by pairing stolen session cookies with geographically matched SOCKS5 proxies.

Feed Storm a Google Refresh Token, and it silently restores the victim's authenticated session from an IP address in the victim's geographic region. This bypasses MFA entirely because the attacker isn't logging in—they're continuing an existing authenticated session. From Google's perspective, it looks like the legitimate user.

One compromised employee browser can hand an operator authenticated access to SaaS platforms, internal tools, and cloud environments without triggering password-based alerts or MFA challenges.

We've seen similar techniques with other infostealers like Lumma and the Ninja Browser campaign, but Storm's automation makes it operationally simpler for less sophisticated attackers.

Malware-as-a-Service Pricing

Storm operates as a subscription service with tiered pricing:

Tier	Price	Features
7-day demo	$300	Basic access
Standard monthly	$900	Full features
Team license	$1,800/month	100 operator seats, 200 builds

A separate crypter is required. Notably, builds keep running after a subscription expires—once deployed, the malware continues harvesting until removed from the victim system.

Infrastructure Design

Operators deploy personal VPS nodes that connect to Storm's central servers. This distributed model means law enforcement or abuse reports hit the operator's disposable node first, insulating the core platform. It's a resilience architecture we've seen increasingly adopted by sophisticated malware operations.

At investigation time, researchers found 1,715 entries in the logs panel spanning India, the U.S., Brazil, Indonesia, Ecuador, Vietnam, and several other countries. Harvested credentials targeted Google, Facebook, Twitter/X, and cryptocurrency exchanges.

Detection Indicators

Security teams should watch for:

• Forum handle: StormStealer
• Forum ID: 221756 (registration December 12, 2025)
• Current version: v0.0.2.0 (Gunnar)
• Build characteristics: C++ (MSVC/msbuild), approximately 460 KB, Windows-only

The in-memory execution and file-copy exfiltration pattern makes endpoint detection challenging. Network monitoring for unusual encrypted data uploads to unfamiliar VPS providers may be more effective.

Defensive Recommendations

1. Deploy session token monitoring - Detect when session cookies are used from unexpected locations even with geo-matching
2. Implement continuous authentication - Don't rely solely on initial login; reverify identity during sensitive operations
3. Monitor for bulk file access - Alert on processes reading multiple browser data directories in sequence
4. Use hardware security keys - FIDO2 keys resist session hijacking better than TOTP or SMS
5. Segment browser profiles - Keep sensitive accounts in separate browser profiles to limit blast radius

Storm demonstrates that endpoint-focused detection isn't sufficient when attackers shift processing off the victim machine. Security architectures need to account for exfiltration-then-process attack models, not just detect-at-execution patterns.