Security researchers at Varonis have uncovered a new information stealer malware (infostealer) strain that harvests browser credentials, session cookies and crypto wallets before quietly sending everything to the attacker's server for decryption.

Called Storm, the infostealer emerged on underground cybercrime networks in early 2026.

According to Daniel Kelley, a senior security consultant at Varonis and author of a report on Storm, published on April 1, the new infostealer represents a shift in how credential theft is developing.

Initially, Kelley said traditional infostealers used to decrypt browser credentials on the victim's machine by loading SQLite libraries and accessing credential stores directly, before endpoint security tools adapted to flag such malicious behavior.

“Then Google introduced App-Bound Encryption in Chrome 127 (July 2024), which tied encryption keys to Chrome itself and made local decryption even harder,” he said.

“The first wave of bypasses involved injecting into Chrome or abusing its debugging protocol, but those still left traces that security tools could pick up.”

Enter Storm, which ships encrypted files to their own infrastructure instead of decrypting them locally.

Kelley also noted that Storm takes this approach further by “handling both Chromium and Gecko-based browsers (Firefox, Waterfox, Pale Moon) server-side, where StealC V2 [another infostealer] still processes Firefox locally.”

Storm Automates Stolen Logs Retrieval

In the case of Storm, data collected after infection includes everything attackers need to restore hijacked sessions remotely and steal from their victims, such as saved passwords, session cookies, autofill, Google account tokens, credit card data and browsing history.

“One compromised employee browser can hand an operator authenticated access to SaaS platforms, internal tools, and cloud environments without ever triggering a password-based alert,” Kelley wrote.

Additionally, Storm steals documents from user directories, captures system information and screenshots, pulls session data from Telegram, Signal and Discord and targets crypto wallets through both browser extensions and desktop apps. “Everything runs in memory to reduce the chance of detection,” Kelley explained.

While most stealers require buyers to manually replay stolen logs in their operator's panel, Storm automates the next step by feeding in a Google Refresh Token and a geographically matched SOCKS5 proxy so that the panel silently restores the victim's authenticated session. 

Stolen Social Media and Crypto Credentials Tied to Storm

Storm is available for less than $1000 per month, said Varonis.

During the investigation, the cybersecurity company found 1,715 entries originating from multiple countries, including Brazil, Ecuador, India, Indonesia the US and Vietnam.

“While it is difficult to confirm whether all entries represent real victims or include test data based solely on the panel imagery, the diverse IP addresses, ISPs, and data sizes suggest the presence of active malicious campaigns,” Kelley wrote.

The stolen credentials cover a range of high-value platforms, including:

• Social media and communication: Google, Facebook, Twitter/X
• Cryptocurrency and financial services: Coinbase, Binance, Blockchain.com, Crypto.com

This type of compromised data is commonly traded on credential marketplaces, where it is used for account takeovers, fraud, and as an entry point for more targeted cyber intrusions.