Cybersecurity professionals are confronting a rapidly shifting threat landscape, driven by a malware strain dubbed “Storm.” Identified and analyzed by Varonis, the Storm infostealer breaks from conventional malware behavior by transferring encrypted browser data directly to attacker-controlled servers for decryption rather than handling it locally on the victim’s machine. This server-side methodology enables session hijacking and removes the need for attackers to crack passwords or defeat multi-factor authentication (MFA) protections outright — rendering two of the most widely trusted security measures effectively useless.
How Server-Side Decryption Changes the Attack
Traditionally, browser data encryption serves as a frontline defense against unauthorized access, protecting stored credentials, cookies, and other sensitive information. Storm dismantles this assumption entirely by never engaging with local decryption at all.
- Encryption Avoidance : Secure browsers typically decrypt data locally so users can access their information. Storm exports encrypted browser data to external, attacker-controlled servers instead, sidestepping this process completely.
- Server-Side Manipulation : Once the encrypted data is transferred, attackers handle decryption on their own infrastructure, making user-centric security controls irrelevant to the attack chain.
- Session Hijacking at Scale : Decrypting data outside the user’s environment allows attackers to hijack active browser sessions, gaining direct access to logged-in accounts and services without raising immediate suspicion or triggering security alerts.
Passwords and MFA Are No Longer Enough
The ability to bypass standard authentication protocols carries serious consequences for individuals and organizations alike. Both passwords and MFA — long considered essential pillars of account security — lose their effectiveness when decryption happens externally.
- Password Redundancy : Storm does not need to crack or guess passwords to achieve account access. By hijacking an authenticated session, attackers inherit the user’s active permissions across platforms and services.
- Compromised MFA : Multi-factor authentication mechanisms that depend on the initial login process are bypassed when attackers take over an already-authenticated session, leaving users unaware a breach has occurred.
Understanding What the Storm Threat Actor Wants
The motivation behind Storm centers on access to high-value data — financial credentials, personal identifiers, and active session tokens that can be monetized quickly or leveraged for longer-term fraud.
- Attacker Objective : By exporting encrypted data before local decryption occurs, attackers extract valuable information without ever needing to interact with the protective barriers built into modern browsers.
- Exploitation Opportunities : Beyond immediate data theft, hijacked sessions can support identity fraud, unauthorized financial transactions, and persistent access to corporate environments, making Storm a tool with both short and long-term damage potential.
Recognizing Storm and Responding to the Threat
Defending against this type of attack requires security teams to move beyond traditional controls and build detection capabilities suited to post-authentication threats.
- User Education : Awareness efforts must go beyond basic password hygiene and cover the realities of session hijacking, what it looks like from a user’s perspective, and why MFA alone is not a catch-all solution.
- Advanced Monitoring : Deploying anomaly detection systems capable of flagging unusual session activity — such as logins from unexpected geolocations or device fingerprint mismatches — can help security teams identify hijacking attempts before significant damage is done.
The Storm infostealer represents a meaningful escalation in how threat actors approach browser-based credential theft. By moving decryption off the victim’s machine entirely, this malware sidesteps decades of browser security design, forcing security teams to rethink what protection at the session layer actually requires.
