Storm Infostealer Bypasses 2FA: Malware Hijacks Accounts Without Passwords

In the evolving landscape of cyber threats, infostealers represent one of the most pervasive dangers to individual and organizational security. Among these, Storm Infostealer has emerged as a particularly insidious variant, capable of circumventing two-factor authentication (2FA) mechanisms. Unlike traditional credential-stuffing attacks that require usernames and passwords, this malware enables attackers to seize control of online accounts by exploiting stolen session data, rendering standard login protections ineffective.

Storm Infostealer, actively marketed on dark web forums since mid-2023, is distributed through a subscription-based model priced between 100 and 500 USD per month, depending on the builder’s configuration options. Cybercriminals purchase access to customized versions tailored to specific targets, such as regions or victim profiles. Initial infection vectors include phishing emails, malvertising campaigns, and compromised websites hosting cracked software or fake download links. Once executed, the malware operates stealthily, exfiltrating vast amounts of sensitive data without triggering immediate user alerts.

At its core, Storm Infostealer’s 2FA evasion relies on the theft of authentication tokens and session cookies stored in web browsers. Modern web applications, including social media platforms, email services, and financial portals, rely on persistent sessions after initial login. These sessions are maintained via cryptographically signed cookies or tokens that verify user identity without requiring repeated password entry or one-time passcodes (OTPs). By harvesting these artifacts, attackers can impersonate victims directly in the browser environment, bypassing both password and 2FA prompts entirely.

Technical analysis reveals that Storm targets over 50 popular browsers, including Chrome, Firefox, Edge, and lesser-known variants like Opera GX and Yandex. It employs sophisticated modules to enumerate browser profiles, decrypt stored data using APIs such as Windows DPAPI and NSS libraries, and extract cookies from SQLite databases. For instance, in Chromium-based browsers, it accesses the Cookies SQLite file in the user’s profile directory, dumping entries like __Secure-1PSID, SID, and HSID for Google services, or equivalent tokens for Facebook and Microsoft accounts. These stolen cookies, when imported into a clean browser instance on the attacker’s machine, grant seamless access as if the legitimate user were still logged in.

Beyond cookies, Storm excels at harvesting autofill data, credit card details, and login credentials from password managers integrated into browsers. It also scans for cryptocurrency extensions and wallets, such as MetaMask, Exodus, and Ronin, extracting seed phrases and private keys. Desktop applications are not spared; modules target Telegram, Discord, Steam, and FTP clients, pulling session files and configuration data. The malware’s modular architecture allows operators to enable or disable specific stealers, optimizing payload size for evasion.

Exfiltration occurs via HTTP POST requests to command-and-control (C2) servers, often using Telegram bots or Pastebin for initial staging to avoid detection. Logs are compressed into ZIP archives containing HTML reports with screenshots of the victim’s desktop, system information, and categorized loot. This structured output facilitates rapid monetization: stolen accounts are sold on underground markets, used for business email compromise (BEC), or leveraged in ransomware precursor operations.

Security researchers have observed Storm’s resilience against endpoint detection and response (EDR) tools. It employs process hollowing, DLL side-loading, and obfuscated JavaScript to inject into legitimate processes like explorer.exe. Anti-analysis techniques include checking for virtual machines, debuggers, and sandbox environments via timing delays and hardware fingerprinting. Once entrenched, it disables Windows Defender real-time protection and clears event logs to cover tracks.

The implications extend far beyond individual users. Compromised social media accounts enable disinformation campaigns, while hijacked email inboxes facilitate targeted phishing or wire fraud. Financial losses from drained crypto wallets have been reported in the millions, with one analyzed sample yielding over 1,000 credentials from a single victim. Enterprises face elevated risks, as Storm’s cookie theft undermines zero-trust models reliant on continuous authentication.

Mitigation demands a multi-layered approach. Users should prioritize hardware security keys over SMS or app-based 2FA, as they resist token theft. Browser isolation via profiles or virtual machines limits cross-contamination, while regular cookie clearing and extensions like uBlock Origin can disrupt malvertising. On the enterprise side, implementing device-bound tokens, behavioral analytics, and network segmentation curtails lateral movement. Tools like Microsoft Defender for Endpoint or CrowdStrike Falcon have updated signatures for Storm variants, emphasizing the need for timely patching.

Storm Infostealer’s success underscores a critical vulnerability in session management practices. As long as web services prioritize convenience with long-lived cookies, infostealers will exploit this gap. Cybersecurity professionals must advocate for shorter session timeouts, token rotation, and client-side certificate authentication to fortify defenses against such threats.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.