# New "Storm" Infostealer Exploits Server-Side Decryption to Bypass MFA and Hijack Sessions


A newly discovered infostealer malware called "Storm" is shifting the attack paradigm by eliminating the need for client-side decryption of stolen browser data. Instead, the malware sends encrypted browser session tokens directly to attacker-controlled servers, where they are decrypted and weaponized for immediate session hijacking—bypassing both passwords and multi-factor authentication in the process. Security researchers at Varonis have detailed the sophisticated approach, highlighting a dangerous evolution in credential theft tactics.


## The Threat: Session Hijacking Without Decryption


Traditional infostealer malware typically operates by:


1. Stealing encrypted credentials and session tokens from the victim's browser storage

2. Exfiltrating those encrypted artifacts to attacker infrastructure

3. Requiring the attacker to decrypt locally before using the stolen credentials


Storm fundamentally changes this workflow. Rather than extracting plaintext credentials or attempting decryption after exfiltration, Storm captures active browser sessions and transmits them to the attacker's command-and-control (C2) server in a state that allows immediate use.


This architectural shift has profound implications:


  • Faster exploitation: No decryption delay between theft and use
  • MFA bypass: Session tokens already contain authentication proof, rendering second factors irrelevant
  • Reduced attribution: Attackers leave no decryption artifacts on the victim's machine
  • Scale: The attacker's infrastructure can be optimized for rapid session usage across thousands of stolen accounts simultaneously

    • ## Background and Context


    ### The Evolution of Infostealers


    Infostealers have long been a cornerstone of the cybercriminal toolkit. Malware like Redline, Raccoon, Meta Stealer, and Lumma have stolen credentials and personal data for years, with stolen account packages regularly appearing on dark web marketplaces at prices ranging from dollars to hundreds of dollars depending on account value.


    However, the traditional model has always required a degree of operational overhead on the attacker side:


  • Decryption of stolen data
  • Credential validation and testing
  • Account takeover or credential selling

    • Storm eliminates these friction points by performing session hijacking—one of the most direct forms of account takeover available to an attacker.


    ### Why Session Tokens Matter More Than Passwords


    Modern web applications increasingly rely on session tokens rather than password-based authentication. When you log into a bank, email provider, or SaaS platform, the server issues a session token (often a JSON Web Token or similar construct) that proves your authenticated identity for a defined period.


    If an attacker possesses your session token, they don't need your password. They don't need to bypass MFA. They simply present the token and the server grants access as if you're the legitimate user.


    Storm's innovation lies in stealing and deploying these tokens with surgical precision.


    ## Technical Details


    ### How Storm Operates


    According to Varonis research, Storm performs the following attack sequence:


    | Stage | Action | Outcome |

    |-------|--------|---------|

    | Execution | Malware executes on compromised host | User unaware; malware gains process-level access |

    | Collection | Extracts browser memory and session storage | Captures active session tokens, cookies, and cached credentials |

    | Exfiltration | Sends stolen tokens to C2 server | Attacker receives authenticated sessions |

    | Exploitation | C2 server uses tokens to access victim accounts | Attacker bypasses login screens and MFA entirely |


    ### The Server-Side Decryption Advantage


    Traditional infostealers often steal encrypted credential stores (like Chrome's Local State file containing encrypted passwords). The attacker must:


    1. Obtain the victim's encryption key (often embedded in the Local State file or Windows credential storage)

    2. Decrypt the stored credentials locally or send encrypted data + key to a decryption service

    3. Test credentials for validity before selling or using them


    Storm bypasses this entirely by targeting active sessions. These sessions are:


  • Already authenticated
  • Already decrypted and in-use by the browser
  • Ready to be presented to web servers without modification
  • Time-limited, forcing rapid exploitation but eliminating storage complexity

    • By performing the decryption on the attacker's server—where the tokens are already in plaintext—Storm enables immediate abuse without the overhead of traditional credential processing.


    ### MFA Bypass Mechanism


    Multi-factor authentication (MFA) works by adding a second proof of identity after password entry:


  • You enter your password (something you know)
  • You provide a second factor (something you have like a phone, or something you are like a fingerprint)
  • The server grants a session token as proof of successful multi-factor authentication

    • Storm circumvents this by stealing the final session token rather than attempting to crack the initial password. The token already represents successful MFA completion, so no second factor is required.


    ## Implications for Organizations


    ### Widespread Exposure


    Organizations across all sectors face exposure:


  • Financial services: Credential theft leading to unauthorized transfers or account takeovers
  • SaaS and cloud providers: Attackers accessing sensitive business data stored in cloud platforms
  • Healthcare: Patient data, research, and operational systems at risk
  • Government and defense: Classified and sensitive information exposure

    • ### Detection Challenges


    Storm's approach presents specific detection hurdles:


  • No unusual login activity detection: Session reuse may not trigger typical geographic anomalies or device fingerprinting if the attacker uses the victim's existing session
  • Limited lateral movement signals: An attacker using a hijacked session may access systems as the legitimate user, appearing in logs as normal activity
  • Narrow exploitation window: Sessions are time-bound, forcing attackers to act quickly, limiting extended investigation timelines

    • ### Supply Chain Risk


    Employees infected with Storm become vectors for corporate espionage. Attackers could:


  • Access internal tools and administrative systems using employee session tokens
  • Gain foothold in enterprise networks without triggering traditional authentication logs
  • Pivot to sensitive data repositories or operational technology systems

    • ## Recommendations


    ### For Security Teams


    Immediate Actions:


  • Endpoint Detection: Deploy EDR solutions that monitor for infostealer behavior (browser memory access, suspicious process injection)
  • Session Token Management: Implement short session lifetimes (15-30 minutes for sensitive systems) to limit the window of exploitation
  • Anomaly Detection: Flag simultaneous session usage from geographically impossible locations
  • Zero Trust Architecture: Verify every access request independently, rather than trusting session tokens as sole proof of identity

    • Medium-Term Strategies:


  • Browser Isolation: Consider browser isolation or sandboxing for high-risk users and sensitive administrative tasks
  • Credential Guard: On Windows, enable Credential Guard to protect credential storage even if malware achieves admin rights
  • Endpoint Isolation: Implement network segmentation so that compromised endpoints cannot directly access critical systems

    • ### For End Users


  • Malware Prevention: Keep operating systems, browsers, and applications patched; use updated antivirus/anti-malware software
  • Email Vigilance: Infostealers are commonly delivered via malicious email attachments or drive-by downloads—exercise caution with unsolicited emails and untrusted links
  • VPN Usage: For remote workers, VPN adds an additional layer that limits attacker usefulness of stolen sessions (though not foolproof)
  • Password Manager Security: Use a dedicated password manager with strong encryption rather than relying on browser-stored credentials

    • ### For Cloud and SaaS Providers


  • Behavioral Analytics: Implement risk-scoring systems that challenge sessions exhibiting unusual behavior (new device, VPN usage, bulk data downloads)
  • Step-Up Authentication: For sensitive operations, require re-authentication or additional factors even within an active session
  • Session Binding: Bind sessions to device fingerprints or client certificates to reduce the portability of stolen tokens

    • ## Conclusion


    Storm represents a maturation of infostealer tactics, removing operational complexity from the attacker side while amplifying risk for organizations. By targeting session tokens instead of raw credentials, Storm enables immediate account takeover and bypasses MFA—two of the most widely deployed security controls.


    Organizations must adopt a layered defense strategy that assumes credential compromise is inevitable and implements additional verification mechanisms beyond session tokens alone. The days of session-based authentication as a complete proof of identity are effectively over in the presence of sophisticated infostealers like Storm.


    Vigilance, rapid patching, and defense-in-depth approaches remain the most reliable weapons against this evolving threat.