For $900 a month, anyone can now buy authenticated access to enterprise cloud environments, without ever needing a password.
That's the going rate for Storm, a new infostealer-as-a-service platform that appeared on underground cybercrime forums in early 2026. It doesn't crack passwords. It doesn't intercept one-time codes. It steals session cookies after authentication completes, then restores those hijacked sessions on attacker-controlled infrastructure. Your 2FA isn't broken. It's just irrelevant.
Daniel Kelley, Senior Security Researcher at Varonis Threat Labs, discovered Storm's operation and found 1,715 victim log entries spanning India, the US, Brazil, Indonesia, Ecuador, and Vietnam. The compromised accounts included Google, Facebook, Coinbase, Binance, and Azure Entra ID sessions that gave operators persistent access to Microsoft 365 without triggering a single password-based alert.
Server-Side Decryption Changes the Game
Most infostealers decrypt stolen browser data locally on the victim's machine. This creates a problem for attackers: endpoint detection tools are specifically designed to catch that behavior. Unauthorized processes loading SQLite libraries, accessing credential stores, manipulating browser databases. All of it generates telemetry that security teams can act on.
Storm takes a different approach. It ships the encrypted browser databases to attacker-controlled servers and decrypts them there. As Kelley noted, server-side decryption enables attackers to "avoid tripping endpoint tools designed to catch traditional on-device decryption."
This isn't a minor technical detail. It's a fundamental shift in the detection equation, following the broader pivot from encryption to exfiltration that is rewriting the attack playbook. Everything runs in memory on the victim's machine. The only observable behavior is encrypted data leaving the device, which looks indistinguishable from normal HTTPS traffic to most security tools.
Google introduced App-Bound Encryption in Chrome 127 to prevent local credential theft. Infostealer developers bypassed it within 45 days. Storm doesn't even bother with the bypass. It avoids the problem entirely by moving decryption off the endpoint. It handles both Chromium-based browsers (Chrome, Edge) and Gecko-based browsers (Firefox, Waterfox, Pale Moon) server-side, advancing beyond predecessors like StealC V2, which still process Firefox data locally.
The $900 Democratization Problem
Storm isn't a nation-state tool. It's a subscription service with a pricing page.
A seven-day demo costs $300. The standard license runs $900 per month. The team tier, at $1,800 monthly, supports 100 operator seats and 200 builds. For context, $900 per month is less than most legitimate SaaS security tools cost. IBM's 2024 Cost of a Data Breach Report puts the average breach at $4.88 million. The economics are straightforward: the cost of launching an attack is now a rounding error compared to the damage it can inflict.
The team tier is particularly telling. At 100 operator seats, Storm is built for organized operations, not lone actors. Each operator deploys a personal VPS node that routes stolen data through their infrastructure first, insulating Storm's central servers from law enforcement takedowns. It's a decentralized model that mirrors how legitimate SaaS platforms handle multi-tenant operations.
Kelley put the enterprise risk plainly: "One compromised employee browser can hand an operator authenticated access to SaaS platforms, internal tools, and cloud environments without ever triggering a password-based alert." It's the same EDR/DLP bypass pattern we saw with OpenClaw: using legitimate credentials and sanctioned channels to walk past the entire security stack without triggering alerts.
Session Cookies Are the New Attack Surface
Storm is a symptom of a larger shift the industry has been slow to internalize. Passwords aren't the primary target anymore. Sessions are.
Recorded Future's identity threat data shows that 31% of malware-sourced credentials now come with cookies attached. That number grew 30% between the first and second half of 2025. Attackers aren't just collecting login credentials; they're harvesting the session tokens that prove a user already authenticated.
The scale is staggering. Infostealers stole 1.8 billion credentials from 5.8 million devices in 2025, an 800% increase from the prior period. Specops analyzed over 6 billion malware-stolen passwords in their 2026 report. And Flare Research warns that 1 in 5 infostealer infections could yield enterprise credentials by Q3 2026.
What makes session hijacking particularly dangerous is what it renders irrelevant. Password complexity doesn't matter; they're not using your password. Password rotation is useless; they have your session. Multi-factor authentication was already completed before the cookie was stolen. Stolen Azure Entra ID session cookies give attackers persistent access to Microsoft 365 environments without any of those controls firing. This is the same identity centralization risk that the ShinyHunters campaign exploited: when authentication is a single point of trust, everything downstream falls with it.
This is the same identity fragility I explored in 149 Million Stolen Credentials Aren't the Problem: the infrastructure harvesting credentials has industrialized, but our defenses still assume credentials are the primary attack vector. Storm proves the target has moved to sessions.
What Actually Works
If session cookies are the new target, the defenses need to match.
Continuous session validation is the first line of defense. Static sessions that persist for hours or days are exactly what Storm exploits. Reducing session lifetimes, binding sessions to device fingerprints, and requiring periodic re-authentication for sensitive operations limit the window attackers have to exploit a stolen cookie.
Device-bound tokens address the root cause. FIDO2 and WebAuthn create authentication credentials that are cryptographically tied to a specific device. Unlike passwords or session cookies, they can't be exfiltrated and replayed from another machine. The challenge is adoption: most enterprises are still years away from passkey-only authentication.
Session anomaly detection fills the gap in the meantime. If the same session token appears from a new IP, device, or geography, that's a signal worth investigating. Storm operators use geographically matched SOCKS5 proxies to reduce this friction, but proxy detection combined with device fingerprinting can still catch the majority of session replay attempts.
Outbound data monitoring targets Storm's specific technique. The server-side decryption model requires encrypted browser databases to leave the endpoint. Monitoring for unusual outbound data patterns from browser data directories, particularly bulk transfers of SQLite files, creates a detection layer that endpoint tools alone can't provide.
The uncomfortable reality is that none of these are new ideas. The security industry has discussed session management, device binding, and behavioral analytics for years. Storm just makes the cost of inaction concrete: $900 a month for complete enterprise access, no password required.
