The silent “Storm”: New infostealer hijacks sessions, decrypts server-side

Storm infostealer is actively harvesting browser credentials, session cookies, and crypto wallet data across multiple countries, then decrypting everything server-side to bypass endpoint detection. Attackers are hijacking authenticated sessions without triggering MFA, giving them direct access to Google, Facebook, X, and crypto exchanges. Stolen credentials are already being sold on dark web marketplaces.

CRITICALAdvisoryApr 14, 2026

Action required

Hunt for Storm IOCs across endpoint telemetry and proxy logs. Priority: detect suspicious encrypted outbound traffic to unknown C2 infrastructure, unusual browser process behavior, and lateral movement from compromised user accounts. Cross-reference breach notification databases for credential overlap with your user base.

Affected products

VaronisGoogle

Linked articles

The silent “Storm”: New infostealer hijacks sessions, decrypts server-side

Source links

https://www.bleepingcomputer.com/news/security/the-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side/