TL;DR: A new infostealer called Storm, surfacing on cybercrime markets in early 2026, marks a dangerous evolution in credential theft. For under $1,000 per month, operators get malware that harvests browser passwords, session cookies, and crypto wallets, then ships the encrypted loot to the attacker's own infrastructure for server-side decryption, removing the telemetry most endpoint tools rely on to catch credential theft. The stolen prize is often not the password but the session cookie, which can let an attacker bypass MFA entirely by resuming an already-authenticated session. Per Constella's 2026 research, infostealers processed 51.7 million packages in 2025, up 72% year over year, and the average time from a personal-device infection to an enterprise breach is roughly 7 days. For NC small businesses, the lesson is that MFA alone is no longer sufficient; you need session protection, managed detection, and rapid response.
Key takeaway: Your employees' MFA can be perfect and your business can still be breached if a session cookie is stolen from an infected device. The 2026-grade defense is conditional access that ties sessions to device and location, short session lifetimes, managed EDR, dark-web credential monitoring, and a 7-day-or-faster response loop, because that is the window attackers are working in.
Think MFA alone has you covered? Preferred Data Corporation has protected North Carolina small businesses since 1987. Call (336) 886-3282 or request an identity-threat assessment. We serve the Piedmont Triad, Charlotte, and Raleigh metros.
What is the Storm infostealer and why is it different?
Storm is an information-stealing malware offered as a service that appeared on underground markets in early 2026. Per BleepingComputer's reporting, it represents a shift in how credential theft works:
- It harvests browser credentials, session cookies, and crypto wallets
- Instead of decrypting stolen data on the victim's machine, it ships encrypted files to the attacker's own server and decrypts there
- This server-side decryption removes the telemetry that most endpoint tools watch for to catch credential theft
- It is sold for under $1,000 per month, putting it within reach of low-skill criminals
The "quiet" design is the point: by not decrypting locally, Storm avoids the behaviors that traditional defenses flag. That makes behavioral managed detection and identity-layer controls, not just endpoint signatures, the difference between caught and breached.
Why do stolen session cookies bypass MFA?
Multi-factor authentication protects the login step. A session cookie (or token) is what the application issues after a successful login so you do not have to re-authenticate on every click. If an attacker steals that cookie, they can import it into their own browser and resume your authenticated session without ever logging in, which means they never face the MFA prompt.
The scale of the problem, per Constella's 2026 Identity Breach research:
- Infostealers processed 51.7 million packages in 2025, a 72% year-over-year increase
- These packages are dangerous specifically because they contain live session cookies that bypass MFA
- The timeline from a personal device infection to an enterprise breach averages about 7 days
As Constella has also noted, even browser-level fixes for cookie theft do not close the whole gap, because stolen tokens remain valid until the session expires or is revoked.
How does an infostealer reach an NC small business?
The chain usually starts off your network, on a personal or lightly managed device:
| Step | What happens | Where SMBs can break the chain |
|---|---|---|
| 1. Infection | Employee runs a malicious download, often on a home or BYOD device | EDR, controlled installs, BYOD policy |
| 2. Harvest | Storm collects saved passwords and live session cookies | Don't store credentials in browsers; managed password vault |
| 3. Exfiltration | Encrypted loot ships to attacker infrastructure for server-side decryption | Network monitoring, managed detection |
| 4. Sale | Credentials and cookies hit dark-web markets, often within days | Dark-web credential monitoring |
| 5. Access | Attacker replays the cookie to bypass MFA and enter your systems | Conditional access, short session lifetimes, anomaly detection |
| 6. Breach | Lateral movement, data theft, or ransomware, often within ~7 days | Segmentation, least privilege, rapid response |
The encouraging part: most of these steps are defensible, but only with identity-layer controls and managed monitoring, not MFA alone.
What should NC small businesses do to defend against session theft?
A practical defense stack for an NC SMB with 10-200 employees:
- Deploy managed EDR with behavioral detection so quiet infostealers are caught by behavior, not signatures.
- Tighten conditional access. Tie sessions to compliant, managed devices and expected locations so a stolen cookie replayed from an unknown device is blocked.
- Shorten session lifetimes for sensitive applications so a stolen token expires fast.
- Stop storing passwords in browsers. Move staff to a managed password manager so the browser vault is not the jackpot.
- Enable phishing-resistant MFA (passkeys / FIDO2) where possible, which resists more of the attack chain than SMS or push.
- Add dark-web credential monitoring so you learn your credentials are for sale before the attacker uses them.
- Build a 7-day response loop. Detect, revoke sessions, force re-authentication, and rotate credentials faster than the attacker's typical window.
For most NC SMBs, the single biggest upgrade is conditional access plus managed detection, because together they neutralize the replayed-cookie attack that defeats MFA on its own.
Get an identity-threat assessment →
Why isn't MFA enough on its own anymore?
MFA is still essential, it stops the majority of password-only attacks, but it protects the wrong moment for this threat. Here is the gap:
| Control | What it protects | Stops session-cookie theft? |
|---|---|---|
| Password only | Nothing modern | No |
| MFA (SMS/push) | The login step | No, attacker resumes the post-login session |
| Phishing-resistant MFA (passkeys) | The login step, more robustly | Partially |
| Conditional access (device + location) | Where/how sessions can be used | Yes, blocks replay from unknown devices |
| Short session lifetimes | Window of a stolen token | Yes, limits exposure |
| Managed EDR + monitoring | The infected endpoint and anomalies | Yes, catches the theft and the replay |
The takeaway is not "MFA failed." It is "MFA is necessary but not sufficient," and the additions are the identity-layer controls above.
How does this connect to ransomware and cyber insurance?
Stolen sessions and credentials are a leading on-ramp to ransomware, and cyber insurers know it. Per 2026 cyber insurance requirement analysis, 96% of carriers now mandate enforced MFA, and EDR with 24/7 monitoring on every endpoint has become a baseline expectation, with a meaningful share of applications denied for inadequate endpoint protection. The same controls that defeat session theft, managed EDR, conditional access, and rapid response, are increasingly what keep your cyber insurance renewable and your premiums in check.
How does Preferred Data Corporation help NC small businesses?
We defend the identity layer where this threat actually plays out. We deploy and manage EDR with behavioral detection so quiet, server-side-decrypting infostealers are caught by what they do. We configure conditional access that binds sessions to managed devices and expected locations, shorten session lifetimes on sensitive apps, and move staff off browser-stored passwords to a managed vault. We enable phishing-resistant MFA where it fits, add dark-web credential monitoring so you get early warning, and run a managed response loop built to revoke sessions and rotate credentials inside the attacker's roughly 7-day window. Because we have served NC manufacturers and construction firms since 1987, we deploy these controls without breaking the daily workflows your team depends on.
Frequently Asked Questions
What is the Storm infostealer?
Storm is an information-stealing malware sold as a service that appeared on cybercrime markets in early 2026. It harvests browser credentials, session cookies, and crypto wallets, then ships the encrypted data to the attacker's own server for decryption. This server-side approach removes the telemetry most endpoint tools rely on to detect credential theft, and it sells for under $1,000 per month.
How does stealing a session cookie bypass MFA?
MFA protects the login step. A session cookie is issued after a successful login so the user stays signed in. If an attacker steals that cookie and imports it into their own browser, they resume the already-authenticated session without logging in again, so they never encounter the MFA prompt. This is why session theft defeats MFA on its own.
Is MFA still worth using if cookies can bypass it?
Absolutely. MFA still blocks the large majority of password-only attacks and is required by most cyber insurers. The point is that MFA is necessary but not sufficient against session theft. Add conditional access, short session lifetimes, managed EDR, and dark-web monitoring to close the gap.
How fast do attackers act after an infostealer infection?
Quickly. Constella's 2026 research puts the average timeline from a personal-device infection to an enterprise breach at roughly 7 days, and stolen data often reaches dark-web markets within days of theft. That short window is why small businesses need managed detection and a rapid response loop rather than periodic manual checks.
How can a North Carolina small business stop session-cookie theft?
Deploy managed EDR, enforce conditional access that ties sessions to managed devices and expected locations, shorten session lifetimes for sensitive apps, move staff off browser-stored passwords to a password manager, enable phishing-resistant MFA where possible, and add dark-web credential monitoring. A North Carolina managed security partner can implement and monitor all of these.
Why do infostealers evade traditional antivirus?
Modern infostealers like Storm are designed to be quiet. By decrypting stolen data on the attacker's server rather than the victim's machine, Storm avoids the local behaviors that signature-based antivirus watches for. Behavior-based endpoint detection and response (EDR) with managed monitoring is needed to catch the theft and the subsequent session replay.
Related Resources
- April 2026 credential theft campaign - 35,000 users defense NC
- Verizon DBIR 2025 stolen credentials and identity defense NC
- Non-human identity crisis - AI agents and machine identity NC
- Managed cybersecurity services for NC businesses
- Managed IT services for NC businesses
About the author: Preferred Data Corporation has provided managed IT, AI transformation, and cybersecurity services to North Carolina small businesses since 1987. Based at 1208 Eastchester Drive, Suite 131, High Point, NC 27265, we serve manufacturers, construction firms, and professional services organizations across the Piedmont Triad, Charlotte, and Raleigh metros. Call (336) 886-3282 or request an identity-threat assessment.