- Joined
- 14 Apr 2026
- Messages
- 2
- Reaction score
- 0
- Points
- 1
STORM - is a Stiller developed by a team of professionals for the best consumers. The project is designed for maximum user convenience, fast and efficient, and most importantly safe operation.
Each build is compiled on a real Windows Server system, and each new build is a unique build. Stiller's build is written in C++ Without using standard libraries!Microsoft Visual C++ (msbuild) is used for compilation.
The build time is from 1 to 3 minutes.
The build weight is 460 kb at the time of writing this post, with all the protections and obfuscations.
It runs on Windows
The build is delivered to the panel in an encrypted archive along with the archive password. After compilation, the build is available for download in the dashboard for 7 days.
If the build is uploaded without a crypt to VT or other scanners, the account will be banned forever without the possibility to refund the money and restore the logs! Administrators have special tools for tracking drains.
Proxy server is required for the stiller to work. You can order them from a seller, or add them yourself. To do this, you need to buy a VPS (Ubuntu) and add the login details (ssh) and ssh port in the panel on the Bridges tab, so that the system automatically connects your VPS to the STORM servers.
Build functionality:
Dynamic browser grabbing
Unlike many stealers, which use hard-coded lists of browsers and constantly require updates when new versions become available, Storm uses intelligent dynamic search: The module automatically detects installed browsers by scanning the system for key markers common to all Chromium and Gecko-based browsers. The module finds not only standard installations, but also Portable versions of browsers, as well as overlay applications using the Chromium engine. Thanks to this approach, Storm builds almost any browser, without the need to add it to the config.
Server-Side Browser Processing
Unlike all existing stealers on the market, Storm does not make any SQL queries inside the system, avoiding the use of sqlite and nss libraries. Instead, Storm exports all browser files as is, and all processing (parsing and decryption) takes place on the server side. The module automatically detects the type of encryption, extracts the corresponding master key, and uses it to work with the data. App-Bound Encryption uses its own shellcode, which obtains the key through the built-in Windows functions. This allows you to work with the latest browser versions. All types of encryption used by Chromium browsers of different versions are supported.: classic DPAPI, AES-GCM (from v80+) and the new App-Bound Encryption (ABE).
Important: All decryption is done on the server. The build only extracts the master key and sends it along with the encrypted data.
Databases are never opened on the victim's computer, which minimizes suspicious activity and reduces the risk of detection.
Grabing data from Gecko-based browsers (Server-Side)
Firefox and other Gecko-based browsers use a completely different data storage architecture and encryption system. Storm is fully adapted to these specifics and correctly collects all the necessary files for subsequent decryption of passwords on the server side. The module automatically detects the browser name (Firefox, Waterfox, Pale Moon, and others), and collects all the files needed for decryption on the server. Collection from all user profiles is supported, including additional profiles.
Browser extensions for crypto wallets and Password Managers
A universal module for collecting cryptocurrency wallets and password managers installed as browser extensions. The list of wallets is fully configured via the control panel. You can add any extension that is not available by default in a couple of clicks. The changes are applied instantly, without the need to rebuild the build.
Grabbing Crypto Wallets
A powerful module for collecting desktop applications of cryptocurrency wallets.
Fully customizable via the dashboard - you can add any wallet by specifying the path to its data directory. The expansion of environment variables is supported, which makes the configuration universal for different systems. The module uses a flexible file mask system to filter the collected data. You can specify which files to collect and which to exclude. It is possible to set a file size limit for optimization.
File grabber
One of the most flexible and powerful Storm modules. Allows you to collect any files from any system directories according to custom rules. Each rule contains a search path, file masks to include, masks to exclude, and a file size limit. The module supports complex search rules with different levels of nesting. Built-in protection against duplicate collection - the paths of the read files are cached, which prevents duplicate files from being sent even if the configuration is incorrect. When the grabber is running, nothing is dropped to the disk - the files are assembled entirely in RAM. All files are compressed before sending to minimize network traffic. When configuring the build, it is suggested to use the basic settings.
Grabbing messengers
Stealer supports grab of well-known messengers such as Session, Telegram, Pidgin, Signal, etc. The module supports different search modes to collect not only a regular client, but also mod clients. The advantage of Storm is that it will find any messenger installed in the system, not just in the standard location. The module also supports the collection of all messengers installed in the system, not just one. For example, it will also collect Telegram + AyuGram (or other modified clients)
Discord Tokens
Discord stores access tokens in various locations: Local Storage of browsers, IndexedDB, and other repositories. Storm searches for tokens in all possible sources, which ensures maximum coverage. The module scans the directories of browser profiles and the Discord application, extracts tokens from all found sources.
Types of Discord Tokens grab:
- Basic tokens
- MFA tokens
- Encrypted tokens
Screenshot
The module captures the current desktop state in high quality.
Uses the optimized GDI API to create a screenshot, supports multi-display configurations (captures all connected monitors),
and saves the image in JPEG format with optimal compression to minimize the file size without loss of quality.
The image is created entirely in memory and sent to the server without saving to disk, which eliminates artifacts on the file system.
System information
The module grab detailed information about the system to create a complete machine profile. All data is collected in memory and sent to the server without saving to disk.
Collected data:
- OS version
- Processor architecture
- Processor information (number of cores|number of threads)
- The amount of RAM (in megabytes)
- Information about the display
- Information about the GPU
- Network adapters (IP address, adapter name, MAC address, gateway, adapter type)
- Information about the launch method (Launch Mode: Disk/Memory, file path if launched from disk)
Loader
A functional non-resident loader for uploading and executing additional files. The loader configuration is fully configurable via the panel and can contain up to 10 files to download.
Each file has a download URL, a path to save to disk, and a file type (exe, dll, ps1). The module saves files to disk using NtAPI, and executes them. For.exe files are used by CreateProcessW with the CREATE_NO_WINDOW flag for hidden launch.
For.dll files are used by LoadLibraryW for standard library loading. For.ps1 files are used by PowerShell with the -exec bypass option to bypass script execution policies. The module supports the expansion of environment variables in paths (for example, %TEMP%, %APPDATA%) and automatic creation of directories if necessary. All files are saved to disk before execution.
Functionality of the admin panel:
Screenshot: https://ibb.co/0yDtvQ8K
A build control panel for adding a place for a build, creating and configuring builds. Here you can set up grabber, loader, and enable/disable collecting Discord, Session, Signal, Telegram, etc.…
Screenshots: https://ibb.co/d02pbk1j, https://ibb.co/WWG84VsM
Gasket control panel for adding gaskets. You can add a gasket yourself or order from a seller.
Screenshots: https://ibb.co/JjPD4kP2у
Domain Detect for tags on logs. You can add your own list of links by inserting a ready-made list, the links should be separated by commas or indented on a new line.
Screenshots: https://ibb.co/gZmVPjGv, https://ibb.co/ZR68wv3q, https://ibb.co/nszSJkBS
Cookie Restore to restore live Google cookies and Access Tokens using Google Refresh tokens. To access the Google account, you must use the same SOCKS5 proxy that was used for recovery.
Screenshots: https://ibb.co/bTp0cDN, https://ibb.co/v4xG69tR
Team The functionality of teams for creating accounts for workers and granting access rights. You can specify who can download logs, who can download builds, etc.
If one of the workers uploads the build to VT or other scanners, the entire account with a non-refundable license and no way to restore logs will be banned!
Screenshot: https://ibb.co/zVws6dkS
The API for commands has not yet been implemented
The crypt is necessary, the build will not work in its pure form!
At the end of the subscription, all logs remain in the dashboard and will be available after the renewal of the tariff, but the builds will continue to work after the license expires.(If you forgot to renew the license, the
strait will remain, but the logs can only be downloaded after the license is renewed - the exceptions are cases when the client did not have time to download the logs due to the fault of the service)
For draining on VT and similar services, ban, ban forever!
The product does not knock on the RU/CIS and will not knock!
CONTACTS:
Linc Adapter
Each build is compiled on a real Windows Server system, and each new build is a unique build. Stiller's build is written in C++ Without using standard libraries!Microsoft Visual C++ (msbuild) is used for compilation.
The build time is from 1 to 3 minutes.
The build weight is 460 kb at the time of writing this post, with all the protections and obfuscations.
It runs on Windows
The build is delivered to the panel in an encrypted archive along with the archive password. After compilation, the build is available for download in the dashboard for 7 days. If the build is uploaded without a crypt to VT or other scanners, the account will be banned forever without the possibility to refund the money and restore the logs! Administrators have special tools for tracking drains. Proxy server is required for the stiller to work. You can order them from a seller, or add them yourself. To do this, you need to buy a VPS (Ubuntu) and add the login details (ssh) and ssh port in the panel on the Bridges tab, so that the system automatically connects your VPS to the STORM servers.Build functionality:
Dynamic browser grabbing
Unlike many stealers, which use hard-coded lists of browsers and constantly require updates when new versions become available, Storm uses intelligent dynamic search: The module automatically detects installed browsers by scanning the system for key markers common to all Chromium and Gecko-based browsers. The module finds not only standard installations, but also Portable versions of browsers, as well as overlay applications using the Chromium engine. Thanks to this approach, Storm builds almost any browser, without the need to add it to the config.
Server-Side Browser Processing
Unlike all existing stealers on the market, Storm does not make any SQL queries inside the system, avoiding the use of sqlite and nss libraries. Instead, Storm exports all browser files as is, and all processing (parsing and decryption) takes place on the server side. The module automatically detects the type of encryption, extracts the corresponding master key, and uses it to work with the data. App-Bound Encryption uses its own shellcode, which obtains the key through the built-in Windows functions. This allows you to work with the latest browser versions. All types of encryption used by Chromium browsers of different versions are supported.: classic DPAPI, AES-GCM (from v80+) and the new App-Bound Encryption (ABE).
Important: All decryption is done on the server. The build only extracts the master key and sends it along with the encrypted data.Databases are never opened on the victim's computer, which minimizes suspicious activity and reduces the risk of detection.
Grabing data from Gecko-based browsers (Server-Side)
Firefox and other Gecko-based browsers use a completely different data storage architecture and encryption system. Storm is fully adapted to these specifics and correctly collects all the necessary files for subsequent decryption of passwords on the server side. The module automatically detects the browser name (Firefox, Waterfox, Pale Moon, and others), and collects all the files needed for decryption on the server. Collection from all user profiles is supported, including additional profiles.
Browser extensions for crypto wallets and Password Managers
A universal module for collecting cryptocurrency wallets and password managers installed as browser extensions. The list of wallets is fully configured via the control panel. You can add any extension that is not available by default in a couple of clicks. The changes are applied instantly, without the need to rebuild the build.
Grabbing Crypto Wallets
A powerful module for collecting desktop applications of cryptocurrency wallets.
Fully customizable via the dashboard - you can add any wallet by specifying the path to its data directory. The expansion of environment variables is supported, which makes the configuration universal for different systems. The module uses a flexible file mask system to filter the collected data. You can specify which files to collect and which to exclude. It is possible to set a file size limit for optimization.
File grabber
One of the most flexible and powerful Storm modules. Allows you to collect any files from any system directories according to custom rules. Each rule contains a search path, file masks to include, masks to exclude, and a file size limit. The module supports complex search rules with different levels of nesting. Built-in protection against duplicate collection - the paths of the read files are cached, which prevents duplicate files from being sent even if the configuration is incorrect. When the grabber is running, nothing is dropped to the disk - the files are assembled entirely in RAM. All files are compressed before sending to minimize network traffic. When configuring the build, it is suggested to use the basic settings.
Grabbing messengers
Stealer supports grab of well-known messengers such as Session, Telegram, Pidgin, Signal, etc. The module supports different search modes to collect not only a regular client, but also mod clients. The advantage of Storm is that it will find any messenger installed in the system, not just in the standard location. The module also supports the collection of all messengers installed in the system, not just one. For example, it will also collect Telegram + AyuGram (or other modified clients)
Discord Tokens
Discord stores access tokens in various locations: Local Storage of browsers, IndexedDB, and other repositories. Storm searches for tokens in all possible sources, which ensures maximum coverage. The module scans the directories of browser profiles and the Discord application, extracts tokens from all found sources.
Types of Discord Tokens grab:
- Basic tokens
- MFA tokens
- Encrypted tokens
Screenshot
The module captures the current desktop state in high quality.
Uses the optimized GDI API to create a screenshot, supports multi-display configurations (captures all connected monitors),
and saves the image in JPEG format with optimal compression to minimize the file size without loss of quality.
The image is created entirely in memory and sent to the server without saving to disk, which eliminates artifacts on the file system.
System information
The module grab detailed information about the system to create a complete machine profile. All data is collected in memory and sent to the server without saving to disk.
Collected data:
- OS version
- Processor architecture
- Processor information (number of cores|number of threads)
- The amount of RAM (in megabytes)
- Information about the display
- Information about the GPU
- Network adapters (IP address, adapter name, MAC address, gateway, adapter type)
- Information about the launch method (Launch Mode: Disk/Memory, file path if launched from disk)
Loader
A functional non-resident loader for uploading and executing additional files. The loader configuration is fully configurable via the panel and can contain up to 10 files to download.
Each file has a download URL, a path to save to disk, and a file type (exe, dll, ps1). The module saves files to disk using NtAPI, and executes them. For.exe files are used by CreateProcessW with the CREATE_NO_WINDOW flag for hidden launch.
For.dll files are used by LoadLibraryW for standard library loading. For.ps1 files are used by PowerShell with the -exec bypass option to bypass script execution policies. The module supports the expansion of environment variables in paths (for example, %TEMP%, %APPDATA%) and automatic creation of directories if necessary. All files are saved to disk before execution.
Functionality of the admin panel:
Screenshot: https://ibb.co/0yDtvQ8K
A build control panel for adding a place for a build, creating and configuring builds. Here you can set up grabber, loader, and enable/disable collecting Discord, Session, Signal, Telegram, etc.…
Screenshots: https://ibb.co/d02pbk1j, https://ibb.co/WWG84VsM
Gasket control panel for adding gaskets. You can add a gasket yourself or order from a seller.
Screenshots: https://ibb.co/JjPD4kP2у
Domain Detect for tags on logs. You can add your own list of links by inserting a ready-made list, the links should be separated by commas or indented on a new line.
Screenshots: https://ibb.co/gZmVPjGv, https://ibb.co/ZR68wv3q, https://ibb.co/nszSJkBS
Cookie Restore to restore live Google cookies and Access Tokens using Google Refresh tokens. To access the Google account, you must use the same SOCKS5 proxy that was used for recovery.
Screenshots: https://ibb.co/bTp0cDN, https://ibb.co/v4xG69tR
Team The functionality of teams for creating accounts for workers and granting access rights. You can specify who can download logs, who can download builds, etc.
If one of the workers uploads the build to VT or other scanners, the entire account with a non-refundable license and no way to restore logs will be banned!
Screenshot: https://ibb.co/zVws6dkS
The API for commands has not yet been implemented
The crypt is necessary, the build will not work in its pure form!
At the end of the subscription, all logs remain in the dashboard and will be available after the renewal of the tariff, but the builds will continue to work after the license expires.(If you forgot to renew the license, the
strait will remain, but the logs can only be downloaded after the license is renewed - the exceptions are cases when the client did not have time to download the logs due to the fault of the service)
For draining on VT and similar services, ban, ban forever!
The product does not knock on the RU/CIS and will not knock!Period | Price | Description | Title |
| 30 days | 350 USD | Standard 1-month license (Includes standard technical support - assistance in all aspects) | Standart |
| 30 days | 700 USD | The team license for teams includes 100 places for teams and 200 places for builds | Team |
CONTACTS:
Linc Adapter