SECURITY researchers at Varonis have uncovered a new information stealer strain called Storm that harvests browser credentials, session cookies and crypto wallets before quietly sending everything to the attacker's server for decryption, enabling remote restoration of hijacked sessions.
According to Daniel Kelley, a senior security consultant at Varonis and author of a report published on 1 April, Storm ships encrypted files to its own infrastructure and automates the next step by feeding in a Google Refresh Token and a geographically matched SOCKS5 proxy to silently restore the victim’s authenticated session.
Storm is available for less than £1000 per month, and during the investigation Varonis found 1,715 entries originating from multiple countries, including Brazil, Ecuador, India, Indonesia, the US and Vietnam. The data targeted includes saved passwords, login tokens, autofill data, Google account tokens, credit card data and browsing history, plus documents from user directories, system information and screenshots, and even data from Telegram, Signal and Discord.
Storm’s methods are described as server-side processing for both Chromium and Gecko-based browsers, reducing the chance of local decryption and detection.