The First Infostealer That Doesn't Decrypt Anything on Your Computer Just Hit 1,715 Victims—Including Gmail and Coinbase Logins

For more than a decade, every browser based infostealer has worked the same way. It lands on your computer, loads a SQLite library, opens Chrome's local credential store, decrypts the passwords using the keys saved alongside them, and then ships the plaintext to the attacker. Endpoint security tools were built around catching exactly that sequence, and after Google's Chrome 127 update in July 2024 introduced App Bound Encryption, the local decryption path got dramatically harder.

Storm, a new malware as a service operation documented by Varonis Threat Labs in 2026, simply stopped trying. It does not decrypt anything on your computer. It packages up the encrypted files and ships them to the operator's own infrastructure, where they are unlocked offline. The endpoint tools see no SQLite access, no credential store reads, no anomalous behavior to flag. They see a small 460 kilobyte program touching some files and making outbound network traffic.

By the time Varonis got a look at one operator's command panel, it had 1,715 victims logged from India, the United States, Brazil, Indonesia, Ecuador, and Vietnam.

$900 a Month, No Skill Required

Storm is sold through underground forums by an operator using the handle StormStealer, account ID 221756, registered on December 12, 2025. The pricing is published openly:

• $300 for a seven day demo.
• $900 a month for a standard subscription.
• $1,800 a month for a team license that includes 100 operator seats and 200 builds.

There is a deliberate quality of life feature buried in the pricing: builds that have already been deployed continue to function after the subscription expires. That means an operator can pay for one month, infect a thousand machines, cancel the subscription, and keep harvesting credentials from those machines indefinitely.

The build itself is a roughly 460 kilobyte Windows binary written in C++ with MSVC, currently in version 0.0.2.0 under the codename Gunnar. It runs entirely in memory after the initial loader, which uses PowerShell with the -exec bypass flag to slide past script blocking controls.

How Server Side Decryption Actually Works

The architecture is the entire point. A traditional stealer needs three things from the victim's machine: access to the encrypted credential file, access to the encryption key, and a working SQLite library to read them. Endpoint detection tools watch all three. App Bound Encryption added a fourth obstacle by tying the keys to a Chrome process running under the right user identity.

Storm only needs the first item. It copies the encrypted Chromium or Gecko browser files—Chrome, Edge, Firefox, Waterfox, Pale Moon—and uploads them. The decryption happens on the operator's server, where there are no endpoint agents to alert. From the operator's panel, the credentials come out as plaintext rows along with the URL each one belongs to.

The operator panel auto identifies credentials for high value services by domain. Varonis observed direct detection logic for Google, Facebook, Twitter, cPanel, Coinbase, Binance, Blockchain.com, and Crypto.com, with the operator's logs showing successful hits on every one.

The MFA Bypass That Makes Your Password Irrelevant

Server side decryption alone would be alarming. The session hijacking feature is the part that breaks how most people think about multi factor authentication.

When you log in to Gmail from a new computer, Google issues a Refresh Token and stores it in your browser. The token is the reason you do not have to type your password every time you open your inbox. As long as the token is valid and the request comes from a reasonable looking IP address, Google treats it as proof that you are already logged in. No password prompt. No MFA challenge.

Storm's panel takes a captured Google Refresh Token and pairs it with a SOCKS5 proxy located in the same geographic region as the original victim. The operator clicks a button. The panel automates the session restoration, and the attacker is now logged into the victim's Google account as if they had walked over and unlocked the laptop.

The same mechanism works on Microsoft 365 through stolen Azure Entra ID session cookies, which Varonis flatly describes as "rendering MFA irrelevant, giving attackers persistent access." Your hardware security key never gets prompted because no one is logging in. Someone is simply continuing a session you already started.

What Storm Actually Steals

The full collection inventory, from the Varonis analysis:

• Saved passwords and autofill data from all major browsers.
• Session cookies and Google account tokens.
• Stored credit card numbers and browsing history.
• Session data from Telegram, Signal, and Discord desktop apps.
• Cryptocurrency wallet credentials from browser extensions and desktop wallets.
• Documents pulled from user directories.
• System information and multi monitor screenshots, captured through the GDI API entirely in memory.

The Signal and Telegram capture is worth dwelling on. Those are the apps most people install specifically because they do not trust other channels. Storm does not break the encryption; it does not have to. It steals the session, and once the operator has the session, the entire message history is just a page load away.

Why Email Users Should Care

Email is the highest leverage credential anyone owns. Once an attacker has access to your Gmail or Outlook session, they can read every password reset link sent to that address. That means your bank, your brokerage, your work tools, and your social accounts are all reachable, one "Forgot password?" click at a time.

Storm is built to hunt exactly that credential. The operator panel auto flags Google logins as high value because they unlock everything downstream. The session hijack works around hardware keys and authenticator apps because it does not perform a login at all.

The same campaigns that distribute Storm—malvertising, fake software updates, ClickFix prompts that ask victims to paste a command into the Windows Run dialog—are the same ones now flooding people's inboxes. The malware arrives by email, captures the email session, and uses that session to send more emails. The loop closes inside the inbox.

What You Can Actually Do

Most of the standard advice about infostealers no longer applies. "Use a strong password" does not help when the attacker is not typing a password. "Enable MFA" does not help when the attacker is replaying a session that already cleared MFA. The defenses that actually work against this class of attack are narrower:

• Sign out of accounts you are not actively using. A session you ended is a token Storm cannot replay.
• Turn on Google's "Sign in to Chrome" sync only on devices you trust completely. The Refresh Token lives wherever the browser is signed in.
• Use Chrome 146 or later, which ties session cookies to the device hardware through Device Bound Session Credentials. Stolen cookies cannot be replayed from a different machine. Microsoft Edge has shipped a similar mechanism.
• Audit "Devices" and "Recent activity" inside every important account weekly. If you see a session from an IP you do not recognize, end it.
• On Windows, treat PowerShell prompts that arrive uninvited the same way you treat phone calls from your "bank." Do not paste anything you did not write yourself.

The stealer market has been adapting faster than the platforms it targets for at least two years. Storm is what the next two years look like. It does not steal your password. It steals the proof that you have already proven you are you. And it does so for less than the cost of a midrange laptop, with the operator panel doing the entire job in a single click.