StormStealer
Member
- Messages
- 1
- Reaction score
- 0
- Points
- 1
STORM - Stealer, developed by a team of professionals for the best users. The project is designed for maximum user convenience, fast and efficient operation, and, most importantly, secure operation.
Each build is compiled on a real Windows Server system, and each new build is a unique assembly. The Stealer build is written in C++ without using standard libraries!
Microsoft Visual C++ (msbuild) is used for compilation.
Build time is 1 to 3 minutes.
The build size is 460 KB at the time of writing, with all protections and obfuscations.
It runs on Windows.
The build is delivered to the control panel in an encrypted archive along with the archive password. After compilation, the build is available for download in the control panel for 7 days.
If the build is uploaded without encryption to VT or other scanners, the account will be permanently banned without the possibility of a refund or log recovery! Administrators have special tools to track leaks.
A prefix is required for Stealer to operate. You can order them from a reseller or add them yourself. To do this, purchase a VPS (Ubuntu) and add your login details (SSH) and SSH port in the Bridges tab of the control panel so that the system automatically connects your VPS to STORM servers.
Build features:
Dynamic browser collection.
Unlike many browser stealers that use rigidly defined lists of browsers and constantly require updates when new versions are released, Storm uses an intelligent dynamic search: The module automatically detects installed browsers by scanning the system for key markers common to all Chromium- and Gecko-based browsers. The module finds not only standard installations, but also portable versions of browsers, as well as overlay applications using the Chromium engine. Thanks to this approach, Storm builds virtually any browser without adding it to the configuration.
Server-Side Browser Processing.
Unlike all existing browser stealers on the market, Storm does not perform any SQL queries within the system, avoiding the use of sqlite and nss libraries. Instead, Storm exports all browser files as is, and all processing (parsing and decryption) occurs server-side. The module automatically detects the encryption type, extracts the corresponding master key, and uses it to process the data. App-Bound Encryption uses its own shellcode, which obtains the key via built-in Windows functions. This allows it to work with the latest browser versions. All encryption types used by Chromium browsers of various versions are supported: classic DPAPI, AES-GCM (from v80+), and the new App-Bound Encryption (ABE).
Important: All decryption occurs on the server. The build only extracts the master key and sends it along with the encrypted data.
Databases are never opened on the victim's computer, which minimizes suspicious activity and reduces the risk of detection.
Collected data: Browser history, Form autofill, Cookies (including session cookies), Google account tokens (Chromium-based browsers only), Credit card data, Passwords.
Data collection from Gecko-based browsers (Server-Side).
Firefox and other Gecko-based browsers use a completely different data storage architecture and encryption system. Storm is fully adapted to this specificity and correctly collects all the necessary files for subsequent password decryption on the server-side. The module automatically detects the browser name (Firefox, Waterfox, Pale Moon, and others) and collects all the files necessary for decryption on the server. Collection from all user profiles is supported, including additional profiles.
Browser Extensions for Cryptocurrency Wallets and Password Managers.
A universal module for collecting cryptocurrency wallets and password managers installed as browser extensions. The list of wallets is fully customizable through the control panel - you can add any extension not included by default in a couple of clicks. Changes are applied instantly, without the need to rebuild the build.
Cryptocurrency Wallet Collection.
A powerful module for collecting desktop cryptocurrency wallet applications.
Fully customizable through the control panel - you can add any wallet by specifying the path to its data directory. Environment variable expansion is supported, making the configuration universal for different systems. The module uses a flexible file mask system to filter the collected data - you can specify which files to collect and which to exclude. It is possible to set a file size limit for optimization.
File Grabber
One of the most flexible and powerful Storm modules. Allows you to collect any files from any system directory using customizable rules. Each rule contains a search path, file masks to include, masks to exclude, and a file size limit. The module supports complex search rules with varying levels of nesting. Duplicate collection protection is built in: the paths of scanned files are cached, preventing duplicate files from being sent even if the configuration is incorrect. Nothing is dropped to disk when the grabber is running; file collection occurs entirely in RAM. All files are compressed before sending to minimize network traffic. When configuring the build, it is recommended to use the default settings.
Messenger collection.
Stiller supports collecting popular messengers, such as Session, Telegram, Pidgin, Signal, and others. The module supports various search modes for collecting not only the standard client but also client mods. Storm's advantage is that it will find any messenger installed on the system, not just the default location. The module also supports collecting all messengers installed on the system, not just one. For example, it will collect Telegram and AyuGram (or other modified clients).
Discord Tokens:
Discord stores access tokens in various locations: browser local storage, IndexedDB, and other storage. Storm searches for tokens in all possible sources, ensuring maximum coverage. The module scans browser profile directories and the Discord application, extracting tokens from all found sources.
Types of Discord tokens collected:
- Basic tokens
- MFA tokens
- Encrypted tokens.
Screenshot:
The module captures the current desktop state in high quality.
It uses an optimized GDI API to create screenshots, supports multi-display configurations (captures all connected monitors),
and saves the image in JPEG format with optimal compression to minimize file size without losing quality.
The image is created entirely in memory and sent to the server without saving to disk, eliminating file system artifacts.
The System Information
module collects detailed system information to create a complete machine profile. All data is collected in memory and sent to the server without saving to disk.
Collected data:
- OS version
- Processor architecture
- Processor information (number of cores | number of threads)
- RAM (in megabytes)
- Display information
- GPU information
- Network adapters (IP address, adapter name, MAC address, gateway, adapter type)
- Launch method information (Launch Mode: Disk / Memory, file path if launched from disk)
All data is sent to the server to create a system profile and is also processed on the server (Server-Side Processing)
Loader
A functional non-resident loader for loading and executing additional files. The loader configuration is fully configurable through the panel and can contain up to 10 files to be loaded.
Each file has a download URL, a path to save to disk, and a file type (exe, dll, ps1). The module saves files to disk using NtAPI and executes them. For .exe files, CreateProcessW is used with the CREATE_NO_WINDOW flag for silent launch.
For .dll files, LoadLibraryW is used for standard library loading. For .ps1 files, PowerShell is used with the -exec bypass parameter to bypass script execution policies. The module supports the expansion of environment variables in paths (e.g., %TEMP%, %APPDATA%) and automatic directory creation if necessary. All files are saved to disk before execution.
Admin panel functionality:
Screenshot: ibb.co/0yDtvQ8K
Build control panel for adding space for the build, creating and configuring builds.
Here you can configure the grabber, loader, and enable/disable the collection of Discord, Session, Signal, Telegram, and others.
Screenshots: ibb.co/d02k1pbj, ibb.co/WWG84VsM
Shim control panel for adding shims. You can add a shim yourself or order one from a reseller.
Screenshots: ibb.co/JjPD4kP2u
Domain Detect for log labels. You can add your own list of links by pasting a ready-made list; links should be separated by commas or indented on a new line.
Screenshots: ibb.co/gZmVPjGv, ibb.co/ZR68wv3q, ibb.co/nszSJkB
Cookie Restore for restoring live Google cookies and Access Tokens using Google Refresh Tokens. To access your Google account, you must use the same SOCKS5 proxy used for restoration.
Screenshot: ibb.co/bTp0cDN, ibb.co/v4xG69tR
Team Command functionality for creating worker accounts and setting access rights. You can specify who can download logs, who can download the build, etc.
If a worker leaks a build to VT or other scanners, the entire account, including the license, will be banned, with no refunds or log recovery options!
Screenshot: ibb.co/zVws6dkS
The API for commands has not yet been implemented
.Cryptography is required; the build will not work in its pure form!
After the subscription ends, all logs remain in the panel and will be available after the plan is renewed, but builds will continue to work after the license expires. (If you forget to renew your license, the leak will be saved, but the logs will only be downloadable after the license is renewed - the exception is cases where the client was unable to download the logs due to the service's fault.)
Leaking to VT and similar services will result in a permanent ban!
The product does not and will not work in Russia/CIS!
Plans and prices:
Contacts:
stormstealer@exploit.im
Each build is compiled on a real Windows Server system, and each new build is a unique assembly. The Stealer build is written in C++ without using standard libraries!
Microsoft Visual C++ (msbuild) is used for compilation.
Build time is 1 to 3 minutes.The build size is 460 KB at the time of writing, with all protections and obfuscations.
It runs on Windows.
The build is delivered to the control panel in an encrypted archive along with the archive password. After compilation, the build is available for download in the control panel for 7 days. If the build is uploaded without encryption to VT or other scanners, the account will be permanently banned without the possibility of a refund or log recovery! Administrators have special tools to track leaks. A prefix is required for Stealer to operate. You can order them from a reseller or add them yourself. To do this, purchase a VPS (Ubuntu) and add your login details (SSH) and SSH port in the Bridges tab of the control panel so that the system automatically connects your VPS to STORM servers.Build features:
Dynamic browser collection.Unlike many browser stealers that use rigidly defined lists of browsers and constantly require updates when new versions are released, Storm uses an intelligent dynamic search: The module automatically detects installed browsers by scanning the system for key markers common to all Chromium- and Gecko-based browsers. The module finds not only standard installations, but also portable versions of browsers, as well as overlay applications using the Chromium engine. Thanks to this approach, Storm builds virtually any browser without adding it to the configuration.
Server-Side Browser Processing.Unlike all existing browser stealers on the market, Storm does not perform any SQL queries within the system, avoiding the use of sqlite and nss libraries. Instead, Storm exports all browser files as is, and all processing (parsing and decryption) occurs server-side. The module automatically detects the encryption type, extracts the corresponding master key, and uses it to process the data. App-Bound Encryption uses its own shellcode, which obtains the key via built-in Windows functions. This allows it to work with the latest browser versions. All encryption types used by Chromium browsers of various versions are supported: classic DPAPI, AES-GCM (from v80+), and the new App-Bound Encryption (ABE).
Important: All decryption occurs on the server. The build only extracts the master key and sends it along with the encrypted data.Databases are never opened on the victim's computer, which minimizes suspicious activity and reduces the risk of detection.
Collected data: Browser history, Form autofill, Cookies (including session cookies), Google account tokens (Chromium-based browsers only), Credit card data, Passwords.
Data collection from Gecko-based browsers (Server-Side).Firefox and other Gecko-based browsers use a completely different data storage architecture and encryption system. Storm is fully adapted to this specificity and correctly collects all the necessary files for subsequent password decryption on the server-side. The module automatically detects the browser name (Firefox, Waterfox, Pale Moon, and others) and collects all the files necessary for decryption on the server. Collection from all user profiles is supported, including additional profiles.
Browser Extensions for Cryptocurrency Wallets and Password Managers.A universal module for collecting cryptocurrency wallets and password managers installed as browser extensions. The list of wallets is fully customizable through the control panel - you can add any extension not included by default in a couple of clicks. Changes are applied instantly, without the need to rebuild the build.
Cryptocurrency Wallet Collection.A powerful module for collecting desktop cryptocurrency wallet applications.
Fully customizable through the control panel - you can add any wallet by specifying the path to its data directory. Environment variable expansion is supported, making the configuration universal for different systems. The module uses a flexible file mask system to filter the collected data - you can specify which files to collect and which to exclude. It is possible to set a file size limit for optimization.
File GrabberOne of the most flexible and powerful Storm modules. Allows you to collect any files from any system directory using customizable rules. Each rule contains a search path, file masks to include, masks to exclude, and a file size limit. The module supports complex search rules with varying levels of nesting. Duplicate collection protection is built in: the paths of scanned files are cached, preventing duplicate files from being sent even if the configuration is incorrect. Nothing is dropped to disk when the grabber is running; file collection occurs entirely in RAM. All files are compressed before sending to minimize network traffic. When configuring the build, it is recommended to use the default settings.
Messenger collection.Stiller supports collecting popular messengers, such as Session, Telegram, Pidgin, Signal, and others. The module supports various search modes for collecting not only the standard client but also client mods. Storm's advantage is that it will find any messenger installed on the system, not just the default location. The module also supports collecting all messengers installed on the system, not just one. For example, it will collect Telegram and AyuGram (or other modified clients).
Discord Tokens:Discord stores access tokens in various locations: browser local storage, IndexedDB, and other storage. Storm searches for tokens in all possible sources, ensuring maximum coverage. The module scans browser profile directories and the Discord application, extracting tokens from all found sources.
Types of Discord tokens collected:
- Basic tokens
- MFA tokens
- Encrypted tokens.
Screenshot:The module captures the current desktop state in high quality.
It uses an optimized GDI API to create screenshots, supports multi-display configurations (captures all connected monitors),
and saves the image in JPEG format with optimal compression to minimize file size without losing quality.
The image is created entirely in memory and sent to the server without saving to disk, eliminating file system artifacts.
The System Informationmodule collects detailed system information to create a complete machine profile. All data is collected in memory and sent to the server without saving to disk.
Collected data:
- OS version
- Processor architecture
- Processor information (number of cores | number of threads)
- RAM (in megabytes)
- Display information
- GPU information
- Network adapters (IP address, adapter name, MAC address, gateway, adapter type)
- Launch method information (Launch Mode: Disk / Memory, file path if launched from disk)
All data is sent to the server to create a system profile and is also processed on the server (Server-Side Processing)
LoaderA functional non-resident loader for loading and executing additional files. The loader configuration is fully configurable through the panel and can contain up to 10 files to be loaded.
Each file has a download URL, a path to save to disk, and a file type (exe, dll, ps1). The module saves files to disk using NtAPI and executes them. For .exe files, CreateProcessW is used with the CREATE_NO_WINDOW flag for silent launch.
For .dll files, LoadLibraryW is used for standard library loading. For .ps1 files, PowerShell is used with the -exec bypass parameter to bypass script execution policies. The module supports the expansion of environment variables in paths (e.g., %TEMP%, %APPDATA%) and automatic directory creation if necessary. All files are saved to disk before execution.
Admin panel functionality:
Screenshot: ibb.co/0yDtvQ8K
Build control panel for adding space for the build, creating and configuring builds.Here you can configure the grabber, loader, and enable/disable the collection of Discord, Session, Signal, Telegram, and others.
Screenshots: ibb.co/d02k1pbj, ibb.co/WWG84VsM
Shim control panel for adding shims. You can add a shim yourself or order one from a reseller.Screenshots: ibb.co/JjPD4kP2u
Domain Detect for log labels. You can add your own list of links by pasting a ready-made list; links should be separated by commas or indented on a new line.Screenshots: ibb.co/gZmVPjGv, ibb.co/ZR68wv3q, ibb.co/nszSJkB
Cookie Restore for restoring live Google cookies and Access Tokens using Google Refresh Tokens. To access your Google account, you must use the same SOCKS5 proxy used for restoration.Screenshot: ibb.co/bTp0cDN, ibb.co/v4xG69tR
Team Command functionality for creating worker accounts and setting access rights. You can specify who can download logs, who can download the build, etc. If a worker leaks a build to VT or other scanners, the entire account, including the license, will be banned, with no refunds or log recovery options!Screenshot: ibb.co/zVws6dkS
The API for commands has not yet been implemented.Cryptography is required; the build will not work in its pure form! After the subscription ends, all logs remain in the panel and will be available after the plan is renewed, but builds will continue to work after the license expires. (If you forget to renew your license, the leak will be saved, but the logs will only be downloadable after the license is renewed - the exception is cases where the client was unable to download the logs due to the service's fault.) Leaking to VT and similar services will result in a permanent ban! The product does not and will not work in Russia/CIS!Plans and prices:
| Deadline | Price | Description | Title |
| 7 days | 300 USD | Weekly demo (does not include technical support, Q&A only) | Demo |
| 30 days | 900 USD | Standard license for 1 month (Includes standard technical support - assistance with all aspects) | Standard |
| 30 days | 1800 USD | The Team license includes 100 team seats and 200 build seats. | Team |
Contacts:
stormstealer@exploit.im
