Newly discovered malware for sale on the black market allows anyone to steal passwords, cryptocurrency, and more from a Windows computer, even with strict security measures enabled. Every time you sigh your way through yet another password field or grumble as you check your phone for a two-factor authentication code, you can take solace in the knowledge that these inconveniences keep your work private and personal data secure. But security is ever-evolving, and no fortress is impenetrable.

The new malware, an infostealer called Storm, was spotted in early 2026, according to a security report by cybersecurity firm Varonis. As you may infer, an infostealer is a piece of software that steals your sensitive personal information and squirrels it away for an attacker. Where Storm differs from other such tools is in its ability to take encrypted information from your browser and decrypt it on a remote server. Think of it like the difference between conducting a bank heist and cracking the safe while you’re still at the scene of the crime versus taking the entire safe home and cracking it open in your basement. In the former scenario, you need to bring your safe-cracking tools inside with you while the seconds tick down until the police arrive. In the latter, you get to work from the comfort of your own home, taking all the time in the world to crack the combination.

Because modern browsers are security-hardened against infostealers that work on an infected device to exfiltrate decrypted data  — they’re very good at detecting those safe-cracking tools, in other words  — Storm has cybersecurity experts raising an eyebrow. Here’s how this new threat works, and why it could spread quickly.

Traditional infostealers set up camp in your browser, where they access local SQLite databases and get to work picking your digital locks. Of course, popular browsers like the Chromium project that undergirds Chrome, Edge, and many others have hardened their security against these kinds of attacks. Browsers treat any sign of a database being accessed locally as a massive red flag, effectively siccing the watchdogs on an attacker before they can get away with the goods. Google even deployed a security measure called App-Bound Encryption that tied keys to the browser itself, but hackers quickly made mincemeat of it.

According to Varonis, Storm doesn’t even bother with this locally-bound cat-and-mouse game. Instead, it steals files in an encrypted state. To continue our bank robbery metaphor, imagine the bank’s security is triggered when someone starts meddling with the locks on the safe, but if someone simply loads the safe onto a truck and drives away, the alarm never even goes off. Once safely on the attacker’s server, Storm gets to work cracking encrypted files. It has its own servers, but data is routed through an attacker’s virtual private server, obfuscating Storm’s own infrastructure. By reconstructing the authenticated session after exfiltration, Storm is able to use session cookies to bypass two-factor authentication (2FA) and other modern security measures.

When Storm gets into a system, it can extract passwords, autofill data such as names and addresses, credit card information, browsing history, and so on. It also targets crypto wallets, messaging apps like Discord, Signal, and Telegram, and files from the user’s storage drive. For good measure, it also takes screenshots. The good news, at least for some, is that Storm can only be deployed against Windows systems.

Users have grown largely accustomed to software as a service (SaaS), the practice wherein software companies charge an ongoing fee for a product. You pay monthly for things like Spotify, Netflix, or Adobe Photoshop. But what you may not know is that cybercriminals have hopped aboard the SaaS train, too, selling fully operational malware to malicious actors. There was a time when a would-be hacker might be deterred by a simple lack of technical knowledge. These days, even an attacker with very little in the way of coding or networking know-how can simply purchase a fully operational malware suite and commit sophisticated cyber crimes.

Storm is one such example, according to Varonis, and its pricing system reflects the sort of business savvy you’d expect from a legitimate software company, not from a black market cyber-weapons dealer. A week-long demo version of the suite is $300, while a monthly subscription is $900. There’s even an enterprise subscription for $1,800 a month, which authorizes up to 100 operators. But unlike normal subscriptions, Storm will keep harvesting data from compromised sessions even after a subscriber fails to pay their bill. It’s not clear whether the subscriber still gets the looted data collected after their payment lapses.

That kind of accessibility means that a threat like Storm can scale quickly, as threat actors rush to purchase it before browser developers can patch the vulnerabilities it exploits. Concerned Windows users can take some steps to reduce risk. Because Storm can easily bypass 2FA, enable passkeys on all accounts that support them. You should still use 2FA everywhere else. Be on the lookout for logins from strange locations, attempts to change your passwords, and other signs that you’ve been hacked.