Skip to content
.ca
sign in
5 minhigh

A Quiet "Storm": Infostealer Hijacks Sessions, Decrypts Server-Side

Storm is a new Windows-based infostealer that evades endpoint detection by offloading browser credential decryption to attacker-controlled servers. It features an automated session hijacking capability that restores stolen cookies via SOCKS5 proxies, granting attackers immediate authenticated access to enterprise SaaS and cloud environments while bypassing MFA.

Sens:ImmediateConf:highAnalyzed:2026-04-01reports

Authors: Varonis Threat Labs

ActorsStormStealer
Server-Side DecryptionStormSession HijackingInfostealer

Source:Varonis

Key Takeaways

  • Storm infostealer bypasses endpoint detection by exfiltrating encrypted browser data for server-side decryption, evading tools that monitor local SQLite access.
  • The malware features an automated cookie restore panel that uses Google Refresh Tokens and SOCKS5 proxies to hijack authenticated sessions.
  • It targets Chromium and Gecko-based browsers, crypto wallets, messenger sessions (Telegram, Signal, Discord), and local documents.
  • Storm operates entirely in memory and routes stolen data through operator-controlled VPS bridge nodes to protect central C2 infrastructure.
  • Session cookie theft allows attackers to bypass MFA and gain persistent access to SaaS platforms and cloud environments.

Affected Systems

  • Windows
  • Chromium-based browsers
  • Gecko-based browsers (Firefox, Waterfox, Pale Moon)

Attack Chain

The attack begins with a loader that fetches and executes up to 10 additional payloads, including PowerShell scripts run with execution policy bypass. The Storm infostealer executes entirely in memory, harvesting encrypted browser databases, crypto wallets, messenger sessions, and local files. Instead of decrypting browser data locally, it compresses and exfiltrates the encrypted files via operator-controlled VPS bridge nodes to a central server. Attackers then use the automated panel to restore session cookies via SOCKS5 proxies, bypassing MFA and hijacking authenticated sessions.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but outlines behavioral indicators and MITRE ATT&CK mappings for the Storm infostealer.

Detection Engineering Assessment

EDR Visibility: Medium — The malware runs entirely in memory and avoids local browser decryption (which EDRs typically catch), but EDR can still detect the initial loader, PowerShell execution with bypass, and anomalous network connections. Network Visibility: Medium — Exfiltration occurs over C2 channels to VPS bridge nodes. Network monitoring might catch anomalous outbound data transfers or connections to known proxy IPs, though the traffic is likely encrypted. Detection Difficulty: Hard — By shifting decryption to the server-side and running in memory, Storm removes the local SQLite access telemetry that most endpoint tools rely on to detect credential theft.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • PowerShell Operational Logs (Event ID 4104)
  • Network Connections (Sysmon 3)
  • Cloud Identity Logs / SaaS Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for PowerShell processes spawned with '-exec bypass' arguments, especially those initiated by unknown or recently downloaded executables.Process Creation (Event ID 4688, Sysmon 1)ExecutionMedium
Monitor for unusual processes accessing browser profile directories (e.g., User Data\Default) and subsequently initiating large outbound network transfers.File Access, Network ConnectionsCollection/ExfiltrationMedium
Detect anomalous logins to SaaS applications (e.g., Microsoft 365, Google Workspace) originating from unfamiliar residential proxy IPs or mismatched geographic locations without a preceding MFA prompt.Cloud Identity Logs, SaaS Audit LogsCredential Access/Session HijackingLow

Control Gaps

  • Endpoint detection relying solely on local browser database decryption (SQLite access)
  • MFA controls that do not bind sessions to device context

Key Behavioral Indicators

  • PowerShell execution with '-exec bypass'
  • In-memory execution patterns
  • Exfiltration of raw, encrypted browser database files (e.g., 'Login Data', 'Cookies')

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Revoke active sessions for users suspected of compromise to invalidate stolen cookies.
  • Block known malicious proxy IPs (e.g., 45.135.38.209) at the perimeter.

Infrastructure Hardening

  • Implement device-bound session controls or continuous access evaluation to detect and block stolen cookie replay.
  • Restrict outbound network connections from endpoints to unknown or unclassified VPS hosting providers.

User Protection

  • Deploy EDR solutions configured to monitor for in-memory execution and anomalous PowerShell usage.
  • Enforce strict execution policies for PowerShell and restrict execution of unsigned scripts.

Security Awareness

  • Educate users on the risks of downloading unverified software, which often serves as the initial loader for infostealers.
  • Train employees to recognize signs of session hijacking, such as unexpected account activity or alerts from SaaS platforms.

MITRE ATT&CK Mapping

  • T1555.003 - Credentials from Web Browsers
  • T1539 - Steal Web Session Cookie
  • T1552.001 - Credentials in Files
  • T1005 - Data from Local System
  • T1113 - Screen Capture
  • T1082 - System Information Discovery
  • T1041 - Exfiltration Over C2 Channel
  • T1059.001 - PowerShell
  • T1105 - Ingress Tool Transfer

Additional IOCs

  • Ips:
    • 45[.]135[.]38[.]209 - SOCKS5 proxy IP used for session restoration
  • File Paths:
    • %APPDATA% - Target directory for the file grabber module
    • %USERPROFILE% - Target directory for the file grabber module
  • Command Lines:
    • Purpose: Loader executes PowerShell payloads with execution policy bypass | Tools: PowerShell | Stage: Execution | powershell.exe -exec bypass
  • Other:
    • 221756 - Forum ID of the StormStealer actor

Related