Security researchers have identified a sophisticated new infostealer dubbed "Storm" that employs an innovative approach to compromise user sessions and credentials. Unlike traditional infostealers that decrypt stolen data locally on infected machines, Storm shifts the decryption process to attacker-controlled servers, creating a stealthier attack vector that evades detection and amplifies the damage potential.
The threat operates by exfiltrating encrypted browser session data directly to remote servers operated by threat actors. This architectural choice represents a significant departure from conventional infostealer behavior and allows attackers to maintain tighter control over stolen information while minimizing forensic artifacts left on victim systems. Once the data reaches attacker infrastructure, it undergoes decryption, revealing sensitive session tokens and authentication credentials.
The implications prove particularly concerning for users relying on multi-factor authentication as a security layer. Storm's ability to harvest and decrypt session information enables attackers to bypass MFA protections entirely, as they gain direct access to authenticated sessions rather than attempting to crack passwords. This effectively neutralizes one of the most important defensive measures organizations implement against unauthorized access.
Security analysts from Varonis detailed the threat's mechanics, demonstrating how the server-side decryption model fundamentally changes the threat landscape. Traditional security tools struggle to detect this activity because the actual decryption—the computationally intensive step that typically signals malicious intent—occurs entirely outside the victim's environment. This means endpoint detection systems may fail to identify the compromise even as sensitive data flows toward attackers.
The discovery underscores a troubling evolution in infostealer development. As defenders improve their ability to spot and stop known threats, malware authors continue innovating with new techniques designed to operate below detection thresholds. Storm demonstrates how shifting certain malicious operations to cloud-based infrastructure can create blind spots in traditional security monitoring approaches.
Organizations should prioritize monitoring for unusual outbound connections and implement network-level controls to restrict data exfiltration. Additionally, rotating credentials and reviewing session logs for suspicious activity remains critical for detecting potential Storm-related compromises.