John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The infostealer playbook used to be simple: land on a machine, crack open the browser’s credential database, exfiltrate the plaintext. Endpoint security vendors built detections around exactly that. Processes touching credential stores, loading SQLite libraries, accessing DPAPI keys. It worked for a while.
Then Chrome shipped App-Bound Encryption, making it harder for random processes to read the password database. Infostealers adapted but still left artifacts. Still triggered detections.
Storm doesn’t bother with any of that.
Instead of trying to decrypt credentials on the victim’s machine (where all the security tooling lives), Storm grabs the encrypted files and ships them to attacker infrastructure. Decryption happens server-side, on hardware the defender can’t see or monitor.
No SQLite library loads. No DPAPI calls. No suspicious process parsing the Login Data file in place. Every detection built around “catch the moment credentials get decrypted” becomes irrelevant overnight.
It handles both Chromium and Gecko-based browsers server-side, targets session cookies, autofill data, Google auth tokens, credit cards, Telegram sessions, Signal sessions, Discord tokens, and crypto wallets. The whole thing runs in memory. Nothing written to disk.
The session hijacking is particularly nasty. When Storm grabs a Google Refresh Token, it pairs it with a geographically matched SOCKS5 proxy so the attacker’s session appears to come from the victim’s region. Fire and forget. The operator just gets access.
It runs as Malware-as-a-Service for under $1,000 a month, with infrastructure spread across Brazil, Ecuador, India, Indonesia, the US, and Vietnam.
If your detection strategy relies on catching infostealers at the point of credential decryption, you’ve got a blind spot. The signal you should be watching for: bulk exfiltration of encrypted files (credential databases, cookie stores, token caches) leaving the machine in encrypted form. That’s unusual behavior for legit processes, and it’s the one place Storm still has to show its hand.