Varonis has identified an infostealer that gathers browser credentials, which include accounts and passwords, session cookies, and cryptocurrency wallets. An infostealer is a category of malware created to collect sensitive information and transmit it to a remote attacker. Once that data is decrypted, the attacker can make use of it. Information stealers have existed since the mid-2000s, but this recent variant, dubbed Storm, utilizes a distinctive approach that permits attackers to obtain Google account tokens, two-factor authentication codes, and more.
Traditional information-stealing malware is among the prevalent methods for password theft and primarily operates locally, on an infected user’s machine. It loads compromised SQLite libraries, an embedded database engine that aids application performance, and subsequently accesses stored account data that way. It is widespread and easily identified by endpoint security solutions. Google shifted this paradigm when it introduced what is known as App-Bound Encryption in Chrome 127 in July 2024. As Varonis clarifies, encryption keys became linked to the Chrome browser, which effectively “complicated local decryption even further.”
Consequently, malware evolved to be more sophisticated, but the “first wave” of enhancements inserted harmful code into Chrome or exploited its debugging protocols. This approach still left detectable evidence for security solutions. Enter Storm. Now, locally gathered data — still encrypted — is transmitted to a proprietary framework. After a machine is compromised, attackers harvest the data needed to restore hijacked sessions from a distance. Collected items include saved passwords, session cookies, autofill form data, Google account tokens, credit card information, browsing histories, and even files from user directories and popular applications. Additionally, since data is decrypted server-side, Storm remains undetectable by numerous endpoint security solutions.
