Surge in Risks from New Infostealer Malware: Varonis Reports on "Storm"
In an alarming development in the world of cybersecurity, researchers at Varonis have identified a new strain of information-stealing malware, termed "Storm." This sophisticated infostealer operates by harvesting sensitive information such as browser credentials, session cookies, and cryptocurrency wallets. The stealthy nature of Storm enables it to send this data to the attacker’s server for decryption without raising immediate suspicion from users or security measures.
Launched on underground cybercrime networks in early 2026, Storm signifies a marked evolution in the methodology employed for credential theft. According to Daniel Kelley, a senior security consultant at Varonis and the author of a detailed report on the threat, the emergence of Storm aligns with the ongoing advancements in malware technologies that impact user security significantly.
Evolution in Credential Theft
Kelley notes that traditional infostealers typically operated by directly decrypting browser credentials on the infected machine. This was often accomplished by loading SQLite libraries to access credential stores. However, as endpoint security tools advanced and began to flag such suspicious activities, attackers were forced to adapt their strategies.
A crucial turning point arrived with Google’s introduction of App-Bound Encryption in Chrome 127, released in July 2024. This feature complicates local decryption by binding encryption keys to Chrome itself. The initial attempts to bypass these security measures often involved injecting malicious code into Chrome or exploiting its debugging protocol. Unfortunately for the attackers, these methods frequently left traces that could easily be detected by security technologies.
In response to these challenges, Storm has developed a more clandestine approach. Instead of decrypting data locally, it transmits encrypted files to its infrastructure, where they can be decrypted server-side. This not only minimizes the chances of detection but also represents a significant leap in the infostealer’s capabilities.
A Multifaceted Approach to Data Theft
One of the standout features of Storm is its capability to gather a comprehensive array of data post-infection. The malware can collect saved passwords, session cookies, autofill data, Google account tokens, credit card details, and even browsing history. This extensive data collection allows an attacker to access high-value platforms without triggering alerts that would typically accompany password changes.
Kelley emphasizes the potential risks posed by a single compromised browser. "One compromised employee’s browser can grant an operator authenticated access to SaaS platforms, internal tools, and cloud environments without ever triggering a password-based alert," he warns. This stealthy approach underscores the importance of robust cybersecurity protocols in organizations.
Storm doesn’t just stop at browser credentials; it also accesses user directories to steal documents, gathers system information, and captures screenshots. Notably, the malware targets session data from messaging platforms like Telegram, Signal, and Discord. Additionally, it has the capability to penetrate cryptocurrency wallets through both browser extensions and desktop applications, operating entirely in memory to minimize detection risks.
Automation: A Game-Changer in Cybercrime
Unlike most infostealers that require manual intervention for the replaying of stolen logs, Storm supports automated processes. By feeding in a Google Refresh Token and utilizing a geographically matched SOCKS5 proxy, the malware can restore the victim’s authenticated session seamlessly. This innovative automation not only streamlines operations for cybercriminals but also heightens the risk for everyday users.
A Global Threat Landscape
Varonis reported that Storm is accessible for less than $1,000 per month, making it an attractive option for cybercriminals. During their investigation, Varonis uncovered 1,715 entries linked to this malware from diverse geographic locations, including Brazil, Ecuador, India, Indonesia, the United States, and Vietnam. The varied origins of these entries, coupled with their distinct IP addresses and ISPs, suggest the presence of active malicious campaigns across the globe.
The compromised data is primarily tied to high-value platforms, including:
- Social Media and Communication: Google, Facebook, Twitter/X
- Cryptocurrency and Financial Services: Coinbase, Binance, Blockchain.com, Crypto.com
Such data frequently circulates in credential marketplaces, where it is exploited for account takeovers, fraud, and serves as a gateway for more targeted cyber intrusions.
Conclusion
The emergence of Storm introduces new challenges in the realm of cybersecurity, reflecting an ongoing arms race between security measures and cybercrime tactics. As these threats become increasingly sophisticated, organizations and individuals alike must remain vigilant and adapt their defenses to safeguard sensitive information against evolving malware strains. The ramifications of malware like Storm extend beyond individual accounts, posing risks to organizations’ overall operational security and integrity.