Storm is a subscription-based infostealer that emerged in early 2026, harvesting browser credentials, session cookies, crypto wallets, files, and other sensitive data for remote decryption and automated exploitation. By performing server-side decryption across Chromium and Gecko browsers and automating cookie restore, Storm evades endpoint telemetry tied to local SQLite access and enables silent access to SaaS and cloud accounts. #Storm #Microsoft365
Keypoints
- Storm exfiltrates saved passwords, session cookies, crypto wallets, autofill data, and user files.
- It ships encrypted browser databases to operator-controlled servers for server-side decryption, avoiding local decryption traces.
- The operator panel automates cookie restore and session hijacking using Google refresh tokens and geographically matched SOCKS5 proxies.
- Operators route stolen data through their own VPS nodes and use team management features to resist takedowns and distribute tasks.
- Active logs show global hits on services like Google, Facebook, Twitter/X, Coinbase, and Binance, and pricing ranges from $300 demo to $1,800/month for team licenses.