Storm Infostealer: New Malware Capable of Bypassing 2FA Protocols

On April 16, 2026, the cybersecurity landscape faced a seismic shift as researchers from Varonis Threat Labs unveiled the discovery of a sophisticated new malware platform: the Storm Infostealer. Representing a radical evolution in credential theft, Storm is not merely another piece of spyware; it is a high-velocity, Malware-as-a-Service (MaaS) tool specifically engineered to dismantle the security foundations of the modern web. By targeting session cookies and Google account tokens through a unique combination of local library manipulation and server-side decryption, Storm has rendered traditional two-factor authentication (2FA) protocols—even those utilizing hardware tokens—startingly vulnerable.

The Technical Architecture of the Storm Infostealer

The Storm Infostealer distinguishes itself from its predecessors by its surgical approach to data exfiltration. Historically, infostealers like RedLine or Lumma attempted to decrypt browser credentials locally on the victim’s machine. This process required the malware to interact with the Operating System’s Data Protection API (DPAPI) and load standard SQLite libraries to parse browser databases. However, modern endpoint detection and response (EDR) tools have become highly efficient at flagging these specific behaviors.

Storm bypasses these defenses by shifting the “heavy lifting” to the attacker’s infrastructure. According to the Varonis report, Storm utilizes compromised SQLite libraries directly on the infected machine to gain raw access to stored session cookies and database files without triggering the typical telemetry associated with decryption. Once the raw, encrypted data is harvested, it is immediately shipped to a remote server for server-side decryption. This approach provides two distinct advantages for cybercriminals:

• Detection Evasion: Because the decryption does not happen on the victim’s device, EDR tools do not see the “unlocking” of passwords, leaving them blind to the theft.
• Bypassing App-Bound Encryption: When Google introduced App-Bound Encryption in Chrome 127, it tied encryption keys to the browser identity itself. Storm counters this by exfiltrating the encrypted blobs and the specific tokens required to reconstruct the session remotely.

Exploiting the Chromium and Gecko Engines

While many stealers focus exclusively on Chromium-based browsers like Google Chrome and Microsoft Edge, the Storm Infostealer features a dual-engine capability. It is designed to harvest data from both Chromium and Gecko-based browsers (such as Mozilla Firefox, Waterfox, and Pale Moon). This multi-engine support ensures that regardless of a user’s browser preference, their authenticated sessions are at risk.

The malware operates primarily in-memory, further reducing its disk footprint and making forensic analysis difficult for standard antivirus software. By the time a security scan identifies a suspicious file, the encrypted browser “vault” has already been exfiltrated to the attacker’s command-and-control (C2) node.

How Storm Bypasses 2FA Protocols and Hijacks Sessions

The most alarming feature of the Storm Infostealer is its ability to bypass two-factor authentication (2FA). For years, users have been told that 2FA—whether via SMS, TOTP apps (like Google Authenticator), or hardware keys (like YubiKeys)—is the ultimate defense against credential theft. Storm proves that this defense is only as strong as the browser session it protects.

Storm does not attempt to “guess” or intercept a 2FA code. Instead, it utilizes session hijacking (also known as “Pass-the-Cookie”). When a user logs into a service like Gmail, Salesforce, or a corporate AWS console and completes their 2FA challenge, the browser stores a session cookie. This cookie tells the server, “This user has already proved who they are.”

The Role of Google Account Tokens

Storm specifically targets Google account tokens and refresh tokens. These tokens are highly valuable because they allow for persistent access even after a password is changed. The attackers utilize a sophisticated automation panel to process these stolen logs. According to researchers, the process follows a terrifyingly efficient sequence:

1. The malware harvests the Google Refresh Token and session cookies from the infected device.
2. The data is uploaded to the Storm C2 infrastructure and decrypted.
3. The attacker’s control panel feeds the token into a geographically matched SOCKS5 proxy.
4. By matching the victim’s IP location, the attacker “restores” the session. To the service provider (e.g., Google or Microsoft), it appears as if the original user is simply continuing their session.

Because the session is already “authenticated,” the service provider does not prompt for 2FA. The attacker effectively steps into the victim’s digital shoes, gaining full access to emails, cloud storage, and internal corporate tools without ever needing to know the victim’s password or intercepting a second-factor code.

The Malware-as-a-Service (MaaS) Threat Model

Varonis researchers discovered that Storm Infostealer is being operated as a professionalized “Malware-as-a-Service” platform. It is available on underground forums for approximately $1,000 per month, a relatively low barrier to entry for organized cybercrime groups. This subscription model includes access to the automated session-restoration panel, technical support, and frequent updates to evade new browser security patches.

The global reach of Storm is already evident. Initial telemetry indicates active infections across the United States, Brazil, India, Indonesia, and the United Kingdom. Beyond standard login credentials, the malware has been observed targeting:

• Cryptocurrency Wallets: Both browser extensions (MetaMask, Phantom) and desktop applications.
• Messaging Apps: Session data from Telegram, Signal, and Discord.
• Enterprise Credentials: Access tokens for SaaS platforms and cloud environments.
• Sensitive Documents: Direct harvesting of files from user directories (Desktop, Documents, Downloads).

Defensive Strategies: Moving Beyond Browser Storage

The discovery of the Storm Infostealer serves as a definitive “wake-up call” for both individual users and enterprise security teams. If 2FA can be bypassed via session theft, the traditional security stack must be re-evaluated. Security experts are now urging a transition toward more resilient defensive postures.

1. Abandoning Browser-Based Password Management

Browsers are designed for convenience, not high-security vaulting. The fact that Storm can use compromised SQLite libraries to access browser-stored credentials highlights the inherent risk of using “Remember Password” features in Chrome or Edge. Users should transition to dedicated, zero-knowledge password managers. These applications store credentials in an encrypted vault that is separate from the browser’s process space, making them significantly harder for an infostealer to harvest.

2. Implementing Session Binding and DPoP

To combat session hijacking, the industry is moving toward Session Binding. Techniques such as Demonstrating Proof-of-Possession (DPoP) at the application layer tie a session token to a specific cryptographic key on the user’s device. If a Storm Infostealer actor exfiltrates a DPoP-bound cookie, it will be useless on the attacker’s machine because they do not possess the private key stored in the victim’s secure enclave (TPM).

3. Shortening Session Lifespans and IP Enforcement

Enterprises should implement stricter conditional access policies. This includes:

• Reduced Session Timeouts: Forcing re-authentication more frequently reduces the “window of opportunity” for a stolen cookie to be useful.
• Continuous Access Evaluation (CAE): Systems like Microsoft Entra ID can revoke sessions in real-time if a suspicious change (like a new IP or location) is detected.
• Strict IP Pinning: While Storm uses SOCKS5 proxies to mimic locations, advanced behavioral analytics can often detect the subtle differences in latency and routing that accompany proxied traffic.

4. The Shift to Passkeys

Unlike traditional passwords, Passkeys are based on FIDO2 standards and are inherently resistant to the types of theft performed by the Storm Infostealer. Because Passkeys require a local biometric or hardware-backed challenge for every new authentication attempt and are not stored in a simple SQLite database file, they offer a significantly higher degree of protection against remote session reconstruction.

Conclusion: The Future of Browser Security

The Storm Infostealer represents the new “gold standard” for cyber-adversaries. By focusing on the post-authentication state—the session itself—attackers have found a way to bypass the very security measures that were supposed to make passwords obsolete. The discovery by Varonis highlights that as long as we rely on persistent, portable cookies to maintain our digital identities, we remain at risk.

For the average user, the advice is clear: clear your browser cookies regularly, avoid storing sensitive financial credentials in your browser, and treat every software download with extreme suspicion. For the enterprise, the arrival of Storm mandates a move toward Zero Trust architectures where identity is constantly verified, and sessions are cryptographically bound to the hardware they originated from. In the battle against infostealers, the storm has arrived—and our old umbrellas are no longer enough.