{"id":15992,"date":"2026-03-23T11:51:55","date_gmt":"2026-03-23T11:51:55","guid":{"rendered":"https:\/\/newestek.com\/?p=15992"},"modified":"2026-03-23T11:51:55","modified_gmt":"2026-03-23T11:51:55","slug":"chrome-abe-bypass-discovered-new-voidstealer-malware-steals-passwords-and-cookies","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15992","title":{"rendered":"Chrome ABE bypass discovered: New VoidStealer malware steals passwords and cookies"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A new infostealer is bypassing Chrome\u2019s Application-Bound Encryption (<a href=\"https:\/\/security.googleblog.com\/2024\/07\/improving-security-of-chrome-cookies-on.html\" target=\"_blank\" rel=\"noreferrer noopener\">ABE<\/a>), using a debugger-based technique researchers say hasn\u2019t been seen in the wild before.<\/p>\n<p>Called \u201cVoidStealer,\u201d the stealer seems to have found a way around ABE, introduced in Chrome 127 in 2024, a security control aimed at locking sensitive browser data like passwords and cookies behind tighter encryptions, tying decryption to a privileged system service.<\/p>\n<p>While ABE bypasses have existed before, through techniques that involved code injection into Chrome, abusing COM\/elevation service, and remote debugging, almost all of them required admin privileges.<\/p>\n<p>Vojt\u011bch Krejsa, the threat researcher at Gen who first flagged the stealer, calls VoidStealer\u2019s bypass non-noisy. \u201cThe bypass requires neither privilege escalation nor code injection, making it a stealthier approach compared to alternative ABE bypass methods,\u201d he said in a blog <a href=\"https:\/\/www.gendigital.com\/blog\/insights\/research\/voidstealer-abe-bypass\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>.<\/p>\n<h2 class=\"wp-block-heading\" id=\"chasing-the-master-key\">Chasing the master key<\/h2>\n<p>An ABE bypass revolves around a critical piece of material, the \u201cv20_master-key.\u201d This key is what ultimately unlocks stored browser secrets, including cookies, passwords, and tokens, once the browser has verified the request. In theory, ABE keeps this key tightly guarded, ensuring it\u2019s never exposed in a way that malware can easily access it.<\/p>\n<p>However, in practice, that key still has to exist in plaintext at runtime, if only briefly, for Chrome to do its job.<\/p>\n<p>Earlier bypass techniques found ways to go after decryption, some relying on process injection that involved <a href=\"https:\/\/cyble.com\/blog\/dual-injection-undermines-chromes-encryption\" target=\"_blank\" rel=\"noreferrer noopener\">slipping malicious code<\/a> into Chrome to invoke a legitimate decryption routine. Others used memory dumping or <a href=\"https:\/\/www.elastic.co\/security-labs\/katz-and-mouse-game\" target=\"_blank\" rel=\"noreferrer noopener\">remote debugging<\/a>, scanning large chunks of process memory to locate decrypted data. More advanced approaches abused Chrome\u2019s elevation service or <a href=\"https:\/\/www.devoteam.com\/expert-view\/contournement-du-chiffrement-app-bound-sur-google-chrome-sans-droits-administrateurs\/\" target=\"_blank\" rel=\"noreferrer noopener\">COM<\/a> interfaces to trick the browser into handing over decrypted material.<\/p>\n<p>VoidStealer takes a more surgical route, Krejsa explained. Instead of forcing Chrome to decrypt data or scraping memory broadly, it attaches as a debugger and waits. By placing hardware breakpoints on a precise instruction tied to Chrome\u2019s decryption flow, it intercepts the exact moment the v20_master_key appears in plaintext in memory. It then reads the key using standard debugging APIs.<\/p>\n<p>VoidStealer uses hardware breakpoints because they don\u2019t modify code, Krejsa explained. Unlike software breakpoints, which can be detected, hardware ones rely on CPU registers, leaving memory untouched and without altering Chrome\u2019s natural execution.<\/p>\n<h2 class=\"wp-block-heading\" id=\"malware-with-many-tricks\">Malware with many tricks<\/h2>\n<p>VoidStealer is part of a broader shift in how infostealers are evolving post-ABE. The malware already supports multiple bypass techniques, falling back to older injection-based methods if needed, but clearly prioritizing stealth where possible.<\/p>\n<p>Krejsa also warned of its development pace. Since first appearing in December 2025, the malware has evolved quickly through versions, suggesting active maintenance and likely customer demand in underground markets. The malware, which runs a <a href=\"https:\/\/www.csoonline.com\/article\/4135843\/new-arkanix-stealer-blends-rapid-python-harvesting-with-stealthier-c-payloads.html\">MaaS<\/a> model, has undergone a total of 12 iterations so far, with the latest version \u201cv2.1\u201d rolled out on Mar 18, 2026.<\/p>\n<p>Because VoidStealer avoids <a href=\"https:\/\/www.csoonline.com\/article\/4145123\/clickfix-techniques-evolve-in-new-infostealer-campaigns.html\">injection<\/a> and privilege escalation, traditional indicators could fall short, Krejsa noted. He said defenders must focus on behavioral signals, including unexpected debugger attachments to browser processes, unusual use of memory-reading APIs, and anomalous Chrome process spawning patterns.<\/p>\n<p>As a primary indicator of compromise (IoC), the researcher shared a sample linked to VoidStealer v2.0.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new infostealer is bypassing Chrome\u2019s Application-Bound Encryption (ABE), using a debugger-based technique researchers say hasn\u2019t been seen in the wild before. Called \u201cVoidStealer,\u201d the stealer seems to have found a way around ABE, introduced in Chrome 127 in 2024, a security control aimed at locking sensitive browser data like passwords and cookies behind tighter encryptions, tying decryption to a privileged system service. While ABE&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15992\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15992","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15992","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15992"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15992\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}