Storm Infostealer: Bypassing Local Decryption for Session Hijacking

The landscape of credential theft is shifting as malware authors develop methods to evade behavioral detection by EDR systems. A new malware variant known as Storm infostealer demonstrates this evolution by moving the decryption process away from the victim’s machine. According to BleepingComputer, this infostealer skips local decryption of browser-stored credentials, instead opting to exfiltrate encrypted data directly to the attacker’s C2 infrastructure.

Technical Analysis: Server-Side Decryption of Browser Data

Most modern web browsers, including those based on the Chromium engine, protect sensitive information such as saved passwords and session cookies using the Data Protection API (DPAPI). Standard infostealers typically attempt to decrypt these SQLite databases locally by using the victim’s current user context. This action often creates a recognizable TTP that triggers security alerts. Storm deviates from this pattern by collecting the encrypted ‘Login Data’ and ‘Cookies’ files along with the DPAPI master key, which is then sent to a remote server. This server-side decryption of browser data allows the threat actor to extract plaintext credentials and active session tokens without alerting local defenses that monitor for suspicious cryptographic operations.

Once the data reaches the attacker-controlled server, the master key is used to decrypt the blobs. The primary goal is session hijacking. By obtaining session cookies, the attacker can clone the victim’s browser environment, effectively bypassing multi-factor authentication (MFA). Since the cookie represents an already-authenticated session, the service provider assumes the request is coming from the legitimate user, leading to a direct bypass of the Zero Trust principles many organizations rely on.

How to detect Storm infostealer activity in enterprise environments

Security teams must focus on the data exfiltration phase to identify this threat. Because the malware avoids high-volume decryption on the host, traditional antivirus may overlook its initial execution. To identify a compromise, SOC analysts should monitor for unauthorized access to the DPAPI master key storage located within the user’s AppData directory. Furthermore, integrating endpoint telemetry into a SIEM can help identify unusual file-read operations on browser-specific directories.

Another method of detecting Storm involves monitoring network traffic for large POST requests to unknown or low-reputation IP addresses, which may indicate the exfiltration of the browser’s database files. Identifying these IoC early is critical to preventing Lateral Movement within the network, as the hijacked sessions often provide attackers with entry points into sensitive corporate cloud environments, such as Microsoft 365 or AWS management consoles.

Storm malware session hijacking mitigation and recovery

Mitigating the risk of session hijacking requires a multi-layered approach that goes beyond standard password policies. Organizations should prioritize the implementation of hardware-backed security keys (e.g., FIDO2) which are resistant to session theft compared to push notifications or SMS codes. Furthermore, setting shorter session timeouts for sensitive applications can reduce the window of opportunity for an attacker using stolen cookies.

Defenders should also enforce IP-based session binding where possible. This ensures that if a session cookie is exfiltrated to an attacker’s machine, it cannot be used from a different geographic location or IP range. Establishing a comprehensive Storm malware session hijacking mitigation strategy also includes regular audits of active sessions and the immediate revocation of all tokens if a device is suspected of being compromised by an infostealer. Educating users on the risks of downloading unverified software, often the initial vector for Phishing or drive-by downloads, remains a fundamental component of enterprise defense.