Storm: 2026’s Newest Infostealer Bypasses Chrome to Hijack Your MFA Sessions

A new and highly efficient threat has emerged on underground cybercrime networks, signaling a significant shift in the battle for credential security. Discovered in early 2026, the malware—dubbed Storm—is quickly becoming a favorite among threat actors for its ability to bypass modern browser protections for less than $1,000 a month.

For years, infostealers relied on a predictable method: they would load SQLite libraries onto a victim’s machine to decrypt browser credentials locally. However, as endpoint security tools became adept at spotting this behavior, and Google introduced App-Bound Encryption in Chrome 127, the “old ways” stopped working.

Storm represents the next generation of this criminal evolution. Instead of fighting for decryption keys on the device, it simply gathers the encrypted files and ships them to the attacker’s own infrastructure. As the report explains:

“Stealer developers responded by stopping local decryption altogether and shipping encrypted files to their own infrastructure instead, removing the telemetry most endpoint tools rely on to catch credential theft”.

While other contemporary stealers struggle with specific browser architectures, Storm has mastered a universal approach. It handles both Chromium and Gecko-based browsers—including Chrome, Firefox, Edge, and specialized variants like Waterfox and Pale Moon—processing all of them server-side.

The malware harvests everything an attacker needs to hijack an identity:

• Browser Credentials: Saved usernames and passwords.
• Session Cookies: Allowing attackers to bypass Multi-Factor Authentication (MFA) by “cloning” an active login session.
• Cryptocurrency Wallets: Targeting digital assets directly from the browser.

Storm is sold as a tiered Malware-as-a-Service (MaaS), with pricing that reflects its professional engineering:

• $300: A 7-day “demo” version.
• $900/month: The standard individual license.
• $1,800/month: A “Team” license providing 100 operator seats and 200 builds.

Crucially, the malware is built for persistence. Even if an operator’s subscription expires, the builds already deployed in the wild continue to harvest and transmit data.

Researchers at Varonis note that Storm is part of a broader, more dangerous trend where session cookie theft is replacing password theft as the primary goal. By stealing a session, an attacker doesn’t need to know your password or have your phone for a code; they simply are you in the eyes of the service.

The report warns:

“Server-side decryption enables attackers to avoid tripping endpoint tools designed to catch traditional on-device decryption, and session cookie theft has been replacing password theft as the primary objective for a while now”.

Implementing short-lived sessions, monitoring for concurrent logins from disparate IP addresses, and utilizing device-bound session tokens are becoming essential strategies to keep users’ digital identities safe from the next wave of server-side stealers.