Session cookie malware MFA bypass has become a critical vulnerability as Storm infostealer demonstrates how attackers can circumvent multi-factor authentication by stealing browser session cookies rather than passwords. This emerging threat, which surfaced in early 2026, packages enterprise-grade account hijacking into a $900-per-month subscription service available on underground cybercrime networks, lowering the barrier to entry for inexperienced attackers targeting everything from Microsoft 365 to cryptocurrency wallets.
Key Takeaways
- Storm infostealer steals browser credentials, session cookies, crypto wallets, and autofill data from Chromium and Firefox browsers
- Uses server-side decryption to bypass Chrome 127 encryption and endpoint security tools
- Automates session hijacking using Google Refresh Tokens and geographically matched SOCKS5 proxies
- Costs $900 per month on dark web forums, significantly cheaper than traditional enterprise pentesting
- Bypasses MFA entirely by hijacking post-authentication sessions, requiring no password knowledge
How Storm Infostealer Defeats Multi-Factor Authentication
Multi-factor authentication is supposed to protect accounts even when passwords are compromised. Storm infostealer renders this protection irrelevant by targeting the authenticated session itself rather than the login credentials. Once a victim’s device is infected, the malware harvests encrypted browser data—including session cookies, stored passwords, credit card information, and autofill entries—then ships this data to attacker-controlled servers for remote decryption. The attacker never needs the original password or second authentication factor because the stolen session cookie already represents a fully authenticated connection to the target service.
This approach bypasses MFA through a fundamental architectural gap: most services validate the session cookie without re-checking authentication factors on every request. The use of server-side decryption and automated session restoration enables attackers to maintain persistent access while evading many endpoint detection tools that focus on credential theft rather than session hijacking. An attacker with a stolen Google Refresh Token and a geographically matched SOCKS5 proxy can silently restore the victim’s authenticated session and access their account without triggering alerts.
Session Cookie Malware MFA Bypass in Practice
Storm’s automated workflow transforms session hijacking from a manual, technical process into a turnkey operation. An operator feeds a stolen Google Refresh Token and a geographically matched SOCKS5 proxy into the malware’s control panel, which then silently restores the victim’s authenticated session for reuse. This automation is what distinguishes Storm from older commodity infostealers like RedLine, Raccoon, or LummaC2, which cost around $50 per month but lack automated session restoration and server-side decryption capabilities.
The malware supports both Chromium-based browsers (Chrome, Edge, Brave) and Gecko-based browsers (Firefox), harvesting session tokens specific to each platform. For Google services, it targets the __Host-3PLSID token; for SAML applications and Microsoft services, it extracts SAMLAuthToken and MSISAuth tokens respectively. Once exfiltrated and decrypted on the attacker’s server, these tokens grant immediate access to cloud services, productivity platforms, and cryptocurrency exchanges without requiring re-authentication.
Why Server-Side Decryption Changes the Threat Landscape
Chrome 127 introduced App-Bound Encryption, which ties encrypted credentials to the specific device where they were created. This protection was designed to prevent malware from stealing and decrypting browser data on a victim’s machine. Storm circumvents this by performing decryption remotely on attacker-controlled servers rather than attempting to decrypt data locally. This architectural choice means endpoint security tools that monitor for local decryption activities miss the attack entirely, and the stolen data remains encrypted until it reaches the attacker’s infrastructure.
This technique maps to MITRE ATT&CK framework entries T1555.003 (Credentials from Web Browsers), T1539 (Steal Web Session Cookie), and Credentials in Files. The shift from local to remote decryption represents a meaningful evolution in infostealer design, allowing Storm to bypass protections that previously would have stopped credential theft at the endpoint level.
The Broader Ecosystem of Session Hijacking Threats
Storm infostealer is not the first attack to exploit session cookies for account hijacking. Varonis researchers documented Cookie-Bite, a proof-of-concept attack using malicious Chrome extensions to extract session tokens from Azure Entra ID, bypassing MFA for Microsoft 365 users. SessionShark, another documented technique, uses real-time token interception through phishing kits to capture tokens as users authenticate. What makes Storm distinct is its combination of automation, affordability, and integration with server-side decryption—packaging techniques that previously required manual effort or advanced technical knowledge into a subscription service accessible to entry-level attackers.
Detection and response tools are beginning to address this threat. Constella Identity’s Signal Feed monitors the dark web for stolen session cookies and can invalidate compromised sessions within minutes of detection. However, the widespread availability of Storm at $900 per month—a fraction of the cost of enterprise penetration testing—means organizations face a growing population of attackers with the capability to target their systems.
What Makes Storm Infostealer a Turning Point
The true danger of Storm lies not in any single technical innovation but in democratization. Advanced session hijacking techniques that previously required specialized knowledge or custom malware development are now available as a subscription service to any attacker with $900 per month and access to underground forums. This lowers the barrier to enterprise-grade account hijacking dramatically, shifting the threat from nation-state actors and sophisticated cybercriminal groups to a broader population of less-skilled attackers.
Organizations relying on MFA as their primary defense against account compromise are now facing a category of threat that bypasses MFA entirely. Stolen credentials can be reset; stolen session cookies grant access without triggering password resets or requiring new authentication factors. The attacker maintains persistence until the session naturally expires or the organization detects and invalidates the token—a gap that may span days or weeks in many enterprise environments.
Can Organizations Detect Storm Infostealer Attacks?
Detecting Storm infostealer infections on endpoints is challenging because the malware’s most damaging activity—session hijacking—occurs on attacker-controlled servers rather than the victim’s device. Endpoint detection tools looking for credential access or browser data exfiltration may flag the initial infection, but the session hijacking itself leaves minimal forensic traces on the compromised machine. Detection requires behavioral monitoring at the session layer: unusual geographic access patterns, impossible travel scenarios (login from one continent followed by another within minutes), or session activity inconsistent with the user’s normal behavior.
Is multi-factor authentication still effective against session hijacking?
Multi-factor authentication protects the login process but not the authenticated session itself. Once an attacker obtains a valid session cookie or refresh token, MFA becomes irrelevant because the session already represents a completed authentication. Organizations should implement conditional access policies that monitor for suspicious session activity, enforce session timeouts, and invalidate tokens when unusual access patterns are detected.
How do organizations defend against Storm infostealer and similar threats?
Beyond MFA, organizations should deploy endpoint detection and response (EDR) tools capable of detecting infostealer infections before data exfiltration occurs, monitor dark web feeds for stolen credentials and session tokens, enforce strict password policies and credential hygiene, implement browser isolation for high-risk users, and regularly audit active sessions for anomalies. Session hijacking threats underscore why MFA alone is insufficient—defense requires a layered approach combining endpoint protection, session monitoring, and rapid token invalidation capabilities.
Storm infostealer represents a fundamental shift in how account hijacking is weaponized and distributed. By automating session hijacking and offering it as an affordable subscription, the malware moves enterprise-grade attacks from the realm of specialized attackers into the hands of anyone willing to pay for access. Organizations that have treated MFA as a complete security solution are now facing a threat that bypasses it entirely, making session monitoring and behavioral detection not optional enhancements but essential security controls.
Edited by the All Things Geek team.
Source: TechRadar


