"What if your browser, not your password, became the key to your accounts?" That is the unnerving question raised by recent reporting on a new infostealer that researchers say takes a different route to compromise: instead of unlocking data locally, it forwards decrypted browser material to attacker-controlled servers, enabling account takeover despite passwords and multifactor protections.
What the researchers found
Security researchers at Varonis identified a new infostealer known as "Storm" that, according to their analysis, "skips local decryption, sending browser data to attacker servers." Varonis further shows how this server-side decryption "enables session hijacking, bypassing passwords and MFA."
Those two linked findings — the outward transfer of browser data and the server-side decryption process — are the kernel of the report and the source of the worry: by moving decryption and session reconstruction off the user's device and into infrastructure controlled by the attacker, Storm changes the threat model defenders must consider.
How this changes the threat landscape
Varonis' description implies a technical pivot from stealing static credentials to extracting live session material for reuse. Session hijacking, as the report frames it, means an attacker can impersonate a logged-in user without necessarily obtaining or using that user's password or the second factor typically relied upon for protection. That manner of compromise shifts the locus of attack away from password theft and toward capturing session artifacts that permit immediate access.
The practical consequence, according to the Varonis findings, is that established controls aimed at guarding credentials may not be sufficient if an adversary can collect and reconstruct sessions remotely. The report links the infostealer's operational choices to the capability to bypass both passwords and multifactor authentication.
Stakeholder perspectives and strategic implications
- Technologists: For defenders and architects of authentication systems, the reported technique underscores the need to examine what browser-resident data can be exfiltrated and how servers validate and reconstitute sessions. Varonis' analysis suggests attackers who centralize decryption on their own servers could make account takeover faster and more reliable.
- Policymakers and risk managers: The reported ability of an infostealer to sidestep common defenses raises questions about how enterprises classify and mitigate browser-originated telemetry and session tokens. Varonis' findings point to a threat that has implications for incident response, logging, and supply-chain monitoring strategies.
- Users and enterprises: If session materials can be moved off-device and reactivated on attacker infrastructure, then the apparent security of passwords and multifactor prompts may be illusory in certain attack chains. Varonis' report highlights a scenario where visible authentication steps do not guarantee the integrity of an active session.
- Adversaries: The Storm approach, as described, favors centralized control of decryption and session recreation. That model could lower the skill or time required to monetize harvested browser data, according to the pattern Varonis documents.
What the Varonis report leaves open — and why that matters
The public summary supplied by Varonis concentrates on two linked mechanics — exfiltration of browser data and server-side decryption enabling session hijacking that bypasses passwords and MFA — but it does not, in the available excerpt, enumerate mitigations, scope, or indicators of compromise in detail. That means defenders must treat the disclosure as a directional alert: the technique exists, and its logical consequences deserve urgent attention even as specifics are awaited.
Viewed through that lens, the Varonis findings shift the defensive imperative from exclusively protecting credentials toward limiting what session artifacts can be harvested, detecting anomalous use of sessions, and considering how authentication systems validate the provenance of a session beyond possession of tokens or one-time challenges.
If an infostealer can send decrypted browser data to attacker servers and thereby enable session hijacking that bypasses passwords and MFA, what measures will actually raise the bar high enough to stop it?




